I use an API that expects a SQL string. I take a user input, escape it and pass it along to the API. The user input is quiet simple. It asks for column values. Like so:\[code\]string name = userInput.Value;\[/code\]Then I construct a SQL query:\[code\]string sql = string.Format("SELECT * FROM SOME_TABLE WHERE Name = '{0}'", name.replace("'", "''"));\[/code\]Is this safe enough? If it isn't, is there a simple library function that make column values safe:\[code\]string sql = string.Format("SELECT * FROM SOME_TABLE WHERE Name = '{0}'", SqlSafeColumnValue(name));\[/code\]The API uses SQLServer as the database. Thanks.Seva Alekseyev thank you so, so, so much for reading my question and trying to answer it. Thank you for not preaching to me about "best practices". And thank you for not trying to "educate me" Really, thank you!
How to escape simple SQL queries in C# for SqlServer
- Thread starter zibereq
- Start date