views:

138

answers:

2

Is there a .Net project/dll, that supports escaping of user supplied input to database queries for various database systems?

I would like our entire team to standardize and use one module to perform escaping of user supplied input that will then be used in parameterized SQL queries.

Ideally, I would like to specify the database system (oracle, SqlServer, mySql, etc.) in the config file and be able to call Escape(variableName) and it would escape the string contents based on the current database setting in the web.config file.

If not, the next best thing would be something like EscapeForOracle, EscapeForSqlServer, etc.

At a minimum the project should support Oracle, SqlServer and MySql.

I am wondering if I need to create this in-house or if an existing commercial/open-source product exists to do this.

+2  A: 

I don't think you will need such a thing.

When running a parametrized query/stored procedure, use a parameters collection.
Specify appropriate data type, length, precision & supply a valid value.
Escaping will be done by DB provider.

Let me know, if I have not understood your question correctly.

shahkalpesh
A: 

In .NET, you can use the generic classes like DbReader and DbConnection instead of SqlConnection. Like shahkalpesh and Lasse V. Karlsen said, you can use parameters and the framework or driver will handle the escaping for you.

But practically speaking, if you wish to develop a product for both Oracle and Sql Server, you're talking MAJOR overhead. Escaping correctly is just the tip of the iceberg. If you haven't installed an Oracle and a Sql Server test server, you probably haven't even started :)

Andomar
That was what I meant by my comment to his question as well, he needs to specify more clearly what he wants. If he's talking about being to write one product with one set of SQL statements that work the same across database engines, he needs some code in between that handles the differences. But if he just means "escaping parameter values" where "parameters" aren't really parameters, then that's different.
Lasse V. Karlsen