tags:

views:

2650

answers:

4
+4  Q: 

Avoiding SQL Injection in SQL query with Like Operator using parameters?

Taking over some code from my predecessor and I found a query that uses the Like operator:

SELECT * FROM suppliers WHERE supplier_name like '%'+name+%';

Trying to avoid SQL Injection problem and parameterize this but I am not quite sure how this would be accomplished. Any suggestions ?

note, I need a solution for classic ADO.NET - I don't really have the go-ahead to switch this code over to something like LINQ.

+6  A: 

Simply parameterize your query:

SELECT * FROM suppliers WHERE supplier_name like '%' + @name + '%'

Now you can pass your "name" variable into the @name parameter and the query will execute without any danger of injection attacks. Even if you pass in something like "'' OR true --" it'll still work fine.

Matt Hamilton  2008-10-23 03:51:37
A: 

Short Anwser:

1) name.Replace("'", "''").... Replace any escape characters that your database may have (single quotes being the most common)

2) if you are using a language like .net use Parameterized Queries

sql="Insert into Employees (Firstname, Lastname, City, State, Zip, Phone, Email) Values ('" & frmFirstname.text & "', '" & frmLastName & "', '" & frmCity & "', '" & frmState & "', '" & frmZip & "', '" & frmPhone & "', '" & frmEmail & "')"

The above gets replaced with the below

Dim MySQL as string = "Insert into NewEmp (fname, LName, Address, City, State, Postalcode, Phone, Email) Values (@Firstname, @LastName, @Address, @City, @State, @Postalcode, @Phone, @Email)" 

With cmd.Parameters:
    .Add(New SQLParameter("@Firstname", frmFname.text))
    .Add(New SQLParameter("@LastName", frmLname.text))
    .Add(New SQLParameter("@Address", frmAddress.text))
    .Add(New SQLParameter("@City", frmCity.text))
    .Add(New SQLParameter("@state", frmState.text))
    .Add(New SQLParameter("@Postalcode", frmPostalCode.Text))
    .Add(New SQLParameter("@Phone", frmPhone.text))
    .Add(New SQLParameter("@email", frmemail.text))
end with

3) user Stored procs

4) use Linq to SQL, again if you are using .net

vdhant  2008-10-23 03:52:03
I don't see why all the down votes here... I showed the range of options and what was avaiable. Personally I wouldn't use option 1, but I have said that all characters would need to be escaped not just the single quotes. If done that is perfectly valid. The options only get better from there. People shouldn't down vote without saying why.
vdhant  2010-03-29 07:10:00
+7  A: 

try this: 

var query = "select * from foo where name like @searchterm";
using (var command = new SqlCommand(query, connection))
{
  command.Parameters.AddWithValue("@searchterm", String.Format("%{0}%", searchTerm));
  var result = command.ExecuteReader();
}

the framework will automatically deal with the quoting issues.

craigb  2008-10-23 03:52:17
Thanks! Nice to get working code snippet as an answer. I was getting stuck on the {0} in the query text.
MikeJ  2008-10-23 05:01:47
+1  A: 

Nice it's working fine thanx bro

firdaus  2010-03-27 08:41:15

related questions

Best way to search data stored as XML in Sql Server?
What are the alternative's to using the iThenticate service for content comparison?
Search by hash?
Free text search integrated with code coverage
How-to: Ranking Search Results
Find item in WPF ComboBox
Find in Files: Search all code in Team Foundation Server
Searching for phone numbers in mysql
How do I implement Search Functionality in a website?
Can you perform an AND search of keywords using FREETEXT() on SQL Server 2005?
How do I search content, within audio files/streams?
Search Plugin for Safari
Search strategies in ORMs
Using Lucene to search for email addresses
SQL Server Full Text Searching
How do you do a case insensitive search using a pattern modifier using less ?
WildcardQuery error in Solr
PowerShell FINDSTR eqivalent?
Parsing search queries in Java
Need Pattern for dynamic search of multiple sql tables
grep a file, but show several surrounding lines?
Eclipse : Class file name must end with .class exception in Java Search
MOSS SSP problem - Failed database logons from deleted SSP
Incomplete results with Turkish characters in Indexing Service
Lucene Score results