ansaurus

Question

How to escape simple SQL queries in C# for SqlServer

Answer 1

+5 A:

Parameterise it!

A Google search of SO for "SQL injection"

Edit:

In response to Seva Alekseyev, SO answer with character 8 injection

gbn 2010-03-08 18:27:39

Given that his question starts with "I use an API that expects a SQL string" that may not be an option.

Jacob G 2010-03-08 18:29:38

@Jacob G: surely we should try to educate...

gbn 2010-03-08 18:34:06

If you have access to the code of the api, check to make sure that it uses argument parametrization. What do you actually pass to the api? That should help in derermining what is used to pass the argument.

Joe Pitz 2010-03-08 18:35:04

@gbn: It seems that the poster knows that the input needs to be sanitized, else they wouldn't be asking the question.

Jacob G 2010-03-08 18:42:12

@Jacob G: true, but why reinvent the wheel if you don't have to? I'd be questioning why I have to use an API like this too.

gbn 2010-03-08 18:44:23

@gbn: lotsa reasons. Legacy code, I would presume. Anyway, just answer the question, instead of promoting a best practice. This particular best practice does not need any more promotion.

Seva Alekseyev 2010-03-08 20:29:53

@Seva Alekseyev: yes it does require more promotion to prevent questions like this...

gbn 2010-03-08 20:34:20

@gbn: chr(8) injection only works if the SQL string is passed through a console on its way to the database. Read the comments on that answer.

Seva Alekseyev 2010-03-08 20:49:46

Answer 2

+5 A:

Simple:

const string sql = "SELECT * FROM SOME_TABLE WHERE Name = @name";

and add the @name parameter with value:

cmd.CommandText = sql;
cmd.Parameters.AddWithValue("@name", name);

Marc Gravell 2010-03-08 18:30:31

He still needs to get the actual SQL statement out of the command object to pass to the API.

manu08 2010-03-08 18:36:54

Answer 3

A:

Since using SqlParameter is not an option, just replace ' with '' (that's two single quotes, not one double quote) in the string literals. That's it.

To would-be downvoters: re-read the first line of the question. "Use parameters" was my gut reaction also.

EDIT: yes, I know about SQL injection attacks. If you think this quoting is vulnerable to those, please provide a working counterexample. I think it's not.

Seva Alekseyev 2010-03-08 18:33:03

-1: And how does that protect against things like Little Bobby? (http://xkcd.com/327/ if you don't know what that means). While parameters may not be an option, the solution of replacing single with double quotes is certainly not 'it' as your answer states.

Greg Beech 2010-03-08 18:37:03

There's a little ' after Robert. That's how. When properly quoted, Bobby's unorthodox name would stored in the database in its entirety.

Seva Alekseyev 2010-03-08 18:37:44

I was speaking figuratively. You wouldn't have quotes with, for example, numeric arguments. It's this *kind* of thing that is the problem, not that exact example. (For example, that exact syntax wouldn't work with SQL Server, but the problem still applies.)

Greg Beech 2010-03-08 18:39:04

you can invalidate this replace by using character 8, backspace. Or "high" unicode characters matching '

gbn 2010-03-08 18:42:02

@Greg: I'm with you. This method is a nonstarter and should not be encouraged.

Steven Sudit 2010-03-08 18:42:05

Not double quotes - two single quotes. That's how single quote is escaped in SQL Server. Sorry it came out that way, I've already edited. Yes, I know about SQL injection. And I said "string literals" - numeric arguments are not string literals.

Seva Alekseyev 2010-03-08 18:43:15

@gbn: cite please.

Seva Alekseyev 2010-03-08 18:44:27

Sure... character 8 injection: http://stackoverflow.com/questions/1800013/does-this-code-prevent-sql-injection

gbn 2010-03-08 18:50:39

@gbn: If you're basing that suggestion completely on the evidence of the accepted answer in that post, I suggest reading the comment I added and trying it for yourself.

Jon Seigel 2010-03-08 19:56:23

@gbn: debunked... Keep trying :) String quoting is like pointer arithmetic in C or dancing on a minefield: inherently dangerous, but works if done right.

Seva Alekseyev 2010-03-08 20:27:06

Seva Alekseyev thank you so, so, so much for reading my question and trying to answer it. Thank you for not preaching to me about "best practices". And thank you for not trying to "educate me" Really, thank you!

sri 2010-03-08 22:30:13

Um, for the record, I still think that parameters are the way to go :) However, I've been in this business long enough to understand the existence of constraints on your designs. Been there, done that.

Seva Alekseyev 2010-03-08 22:33:27

@Seva While everyone knows the code above is subject to injections, sometimes you are tied to an API that just doesn't allow you to follow best practices. Too often programmers worry about stuff that isn't within the circle of concern of a particular task. Good answer to the specific question.

Nissan Fan 2010-03-08 22:36:38

@Seva I would do the same thing, but in this case I can't. A couple of other times I've asked questions on SO and people want to "educate me" or question why things are setup that way, which is pretty frustrating :-)(And yes I understand about SQL injection and the other best practices...)

sri 2010-03-08 22:49:05

ansaurus

tags:

views:

answers:

How to escape simple SQL queries in C# for SqlServer

related questions