String manipulations with SQL

news.microsoft.com · May 3, 2005

What is the best way to avoid string manipulations with SQL?

I have edit box control where database is opened for attacks through SQL
commands.

Something like this:
selectString = "SELECT FIRSTNAME, LASTNAME FROM xxxTable WHERE
FIRSTNAME='"+txtTextBox1.Text"'";

Furthermore I would like to avoid of using some characters like ;:,. etc.

If you know for some example I appreciate it. Thanks in advance...

Michael C# · May 3, 2005

Use Parameterized Queries to avoid SQL Injection attacks.

PFD · May 3, 2005

Here's a great article to help avoid SQL attacks:

http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx

Good luck!
PFD

SQL Query in QA -vs- VS	3	Aug 15, 2008
Playing with SQL Generation	2	Mar 24, 2010
Recommendation on How to build a long string	9	Mar 25, 2007
Formatted object properties with ToString() method	9	Jun 9, 2008
xPath does not work when the XML Document has xmlns	2	Feb 22, 2007
SQL Parameterized Command versus Custom String	5	Aug 24, 2009
Help with LINQ relational query	1	Feb 11, 2009
Injecting code into linq	16	Feb 22, 2008

String manipulations with SQL

news.microsoft.com

Michael C#

PFD

Ask a Question

Similar Threads