26

I have some queries (to a MS Access database) like this:

string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL='" + user + "' AND PASSWORD_AZIENDA='" + password + "'";

and I'd like to "escape" user and password, preventing an injection.

How can I do it with C# and .NET 3.5? I'm searching for something like mysql_escape_string in PHP.

Improve this question

9 Answers 9

Reset to default
47

You need to use parameters. Well dont have to but would be preferable.

SqlParameter[] myparm = new SqlParameter[2];
myparm[0] = new SqlParameter("@User",user);
myparm[1] = new SqlParameter("@Pass",password);

string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL=@User AND PASSWORD_AZIENDA=@Pass";
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Not necessarily need to use, but they're the best option there is for that and work reliably ;-). Every homegrown variant is bound to have some problems, probably.
@Jethro : but after, can I pass the real value to the query? I need to pass the myparam array to the SqlExecute query, ain't?
@Markzzz, yes you will need to pass your sql parameters with your query so it can get executed. What do you mean about passing the real value to the query? You will pass the real value to the paramenters which builds your query.
so the code above (without any code) should works? In fact it doesnt. The field user is escaped into myparm[0] right? The query doesnt know that param...
I mean : I don't need to add these parameters to the SQL Connection?
|
20

Don't escape the strings to start with - use a parameterized query. Benefits of this over escaping:

  • The code is easier to read
  • You don't have to rely on getting the escaping correct
  • It's possible that there are performance improvements (DB-specific etc)
  • It separates "code" (the SQL) from the data, which is just good sense logically
  • It means you don't need to worry about data formats for things like numbers and dates/times.

The docs for SqlCommand.Parameters give a good, complete example.

Improve this answer

Comments

6

You should use the SQL paramters to prevent SQL Injection look at the code

//
// The name we are trying to match.
//
string dogName = "Fido";
//
// Use preset string for connection and open it.
//
string connectionString = ConsoleApplication716.Properties.Settings.Default.ConnectionString;
using (SqlConnection connection = new SqlConnection(connectionString))
{
    connection.Open();
    //
    // Description of SQL command:
    // 1. It selects all cells from rows matching the name.
    // 2. It uses LIKE operator because Name is a Text field.
    // 3. @Name must be added as a new SqlParameter.
    //
    using (SqlCommand command = new SqlCommand("SELECT * FROM Dogs1 WHERE Name LIKE @Name", connection))
    {
    //
    // Add new SqlParameter to the command.
    //
    command.Parameters.Add(new SqlParameter("Name", dogName));
    //
    // Read in the SELECT results.
    //
    SqlDataReader reader = command.ExecuteReader();
    while (reader.Read())
    {
        int weight = reader.GetInt32(0);
        string name = reader.GetString(1);
        string breed = reader.GetString(2);
        Console.WriteLine("Weight = {0}, Name = {1}, Breed = {2}", weight,    name, breed);
    }
    }
}
Improve this answer

Comments

2

Yes, you can avoid injection by using Named Parameters

Improve this answer

Comments

1

Use parameters instead of escaping strings:

var comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL=@user AND PASSWORD_AZIENDA=@password";

Then assign values to those parameters before you execute the SqlCommand.

Improve this answer

Comments

1

You can check the below link to know how to prevent SQL injection in ASP.Net. I would prefer to use

  1. Using parametrized queries or Stored Procedures.
  2. Validating special characters like '(very dangerous)

http://dotnet.dzone.com/news/aspnet-preventing-sql-injectio

Improve this answer

Comments

0

If you can convert these to Named Parameters, I think you would be better served.

Improve this answer

1 Comment

Good point, Named Parameters would be the corollary in C#/.NET.
0

@Jethro

You could also write it like this:

SqlParameter[] sqlParams = new SqlParameter[] {
    new SqlParameter("@Name", contact.name),
    new SqlParameter("@Number", contact.number),
    new SqlParameter("@PhotoPath", contact.photoPath),
    new SqlParameter("@ID", contact.id)
};
Improve this answer

Comments

0

Follow the steps below and resolve the SQL INJECTION problem:

OracleParameter[] tmpParans = new OracleParameter[1];

tmpParans[0] = new Oracle.DataAccess.Client.OracleParameter("@User", txtUser.Text);

string tmpQuery = "SELECT COD_USER, PASS FROM TB_USERS WHERE COD_USER = @User";

OracleCommand tmpComand = new OracleCommand(tmpQuery, yourConnection);

tmpComand.Parameters.AddRange(tmpParans);


OracleDataReader tmpResult = tmpComand.ExecuteReader(CommandBehavior.SingleRow);
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.