ansaurus

Question

How to put double quotes in ADO.NET query?

Answer 1

A:

I'm not sure if double quotes will help you (which you can add if you like by escaping the quote, as in \"). What I've done in the past is to be mindful of single quotes, so I performed a replace on the content of @val prior to including it in the query, as in val.Replace("'", "''").

David Andres 2009-09-08 04:58:17

Sorry, downvoting because this is not the way to do it in .NET; it is not enough (i.e. imagine the parameter contains no quotes; because it is normally numeric.

Noon Silk 2009-09-08 05:00:44

Not quite sure where the down vote is coming from

David Andres 2009-09-08 05:01:34

Fair enough, but the OP's original post presumes that @val is textual.

David Andres 2009-09-08 05:02:50

I know. Hence the reason I'm sorry for it; but in .NET, there is no legitimate case to use `.Replace` to solve SQL Injection; you only ever use `SqlParameter`s.

Noon Silk 2009-09-08 05:10:15

Well, I know SqlParameters take care of this, but what about OleDbParameters and the like. Though the OP's query gives SQL Server away, you can't always be certain of the data provider. Not a big deal, dude.

David Andres 2009-09-08 05:18:48

Answer 2

+2 A:

To prevent SQL Injection you must only use SqlParameter objects for all your queries, like so:

SqlCommand  command = new SqlCommand("update tblFoo set x = @x");
SqlParamter param   = new SqlParameter("@x", SqlDbType.NVarChar);

param.Value = "hello\"";

command.Parameters.Add(param);

Noon Silk 2009-09-08 04:59:59

Answer 3

+4 A:

Step 1: Don't do this. Use a parameterized query instead.

Parameterized queries remove most of the risk associated with SQL injection attacks.

From the link:

private void CallPreparedCmd() {
    string sConnString = 
        "Server=(local);Database=Northwind;Integrated Security=True;";
    string sSQL = 
        "UPDATE Customers SET City=@sCity WHERE CustomerID=@sCustomerID";
    using (SqlConnection oCn = new SqlConnection(sConnString)) {
        using (SqlCommand oCmd = new SqlCommand(sSQL, oCn)) {
            oCmd.CommandType = CommandType.Text;

            oCmd.Parameters.Add("@sCustomerID", SqlDbType.NChar, 5);
            oCmd.Parameters.Add("@sCity", SqlDbType.NVarChar, 15);

            oCn.Open();
            oCmd.Prepare();

            oCmd.Parameters["@sCustomerID"].Value = "ALFKI";
            oCmd.Parameters["@sCity"].Value = "Berlin2";
            oCmd.ExecuteNonQuery();

            oCmd.Parameters["@sCustomerID"].Value = "CHOPS";
            oCmd.Parameters["@sCity"].Value = "Bern2";
            oCmd.ExecuteNonQuery();

            oCn.Close();
        }
    }
}

That being said, you can insert quotes into a string by escaping the double quotes like this:

string newstring = " \"I'm Quoted\" ";

Dan Rigby 2009-09-08 05:00:06

Can parameters prevent something like this being added at the end of the query ;drop table article

2009-09-08 05:50:11

Yes, because parameters are not executed as literal sql and are type checked. See http://www.mikesdotnetting.com/Article/113/Preventing-SQL-Injection-in-ASP.NET.

Dan Rigby 2009-09-08 06:01:37

Answer 4

A:

Why did you use string.Format? You are using @parameterized query and it is Type-Safe.

Use Type-Safe SQL Parameters for Data Access

adatapost 2009-09-08 05:03:00

ansaurus

tags:

views:

answers:

How to put double quotes in ADO.NET query?

related questions