tags:

views:

336

answers:

2
Q: 

Standard Function for Escaping Strings in SQL

I'm writing a program in .NET2.0 and I need to escape the inputs before using them. Unfortunately the standard parameter method system does not fully work in the system I'm using. Using the ODBCCommand class I cannot place a ? parameter in the select part of the statement (which is required for the little bit of trickiness I'm doing) without getting an error, so I need to manually escape strings that may or may not contain a single quote ('). Any suggestions?

Edit- Example SQL:

As I would like it:

INSERT INTO TABLE_A (COLUMN_A, COLUMN_B)
SELECT (?, COLUMN_C)
FROM TABLE_B
WHERE COLUMN_D = ?

As it is:

INSERT INTO TABLE_A (COLUMN_A, COLUMN_B)
SELECT ('INPUT_VALUE_HERE', COLUMN_C)
FROM TABLE_B
WHERE COLUMN_D = ?

Edit: Sybase ASE is the DB driver, through ODBC

+2  A:  
Dim s As String = "Michael O'Flatley"
Dim escapedString as String = s.Replace("'", "''")
Patrick McDonald  2009-04-23 12:46:32
+2  A: 

You can parse your string parameters with this extension function

public static string SqlEncode(string str)
{
    if (str == null) return String.Empty;
    return str.Replace("'","''");
}
Soni Ali  2009-04-23 12:54:21
to be an extension function should it be public static string SqlEncode(this string str)?
Patrick McDonald  2009-04-23 13:01:21
Fixed it for him.
Joel Coehoorn  2009-04-23 13:04:47
Good idea, but if you look you'll see this .NET2.0 (no extension methods).
C. Ross  2009-04-23 13:15:43
I did not make it an extension because he said .NET 2.0.
Soni Ali  2009-04-23 13:39:18
Sorry Soni, you're right, I read extension in your answer and thought you meant to write an extension methos
Patrick McDonald  2009-04-23 14:05:31

related questions

Backup SQL Schema Only?
Sql to query a dbs scheme
Timer-based event triggers
Sql query, count and group by
Paging SQL Server 2005 Results
SQL 2005 For XML Explicit - Need help formatting
How do I use T-SQL Group By
What all do I need to escape when sending a (My)SQL query?
Split String in SQL
Datatable vs Dataset
ASP.NET MVC "CRUD" Database Sample
Convert HashBytes to VarChar
Best Book for a new Database Developer
What is the best way to avoid SQL injection attacks?
What language do you use for Postgresql triggers and stored procedures?
What is the best way to handle multiple permission types?
How do I index a database field
Swap unique indexed column values in database.
cx_Oracle - what is the best way to iterate over a result set?
cx_Oracle - How do I access Oracle from Python?
Is there a version control system for database structure changes?
How to export data from SQL Server 2005 to MySQL
ASP.NET Site Maps
Decoding T-SQL CAST in C#/VB.net
Flat File Databases in PHP