473,325 Members | 2,816 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,325 software developers and data experts.

OK. Again...How to handle single quotes in SQL Strings?? ASP.NET/ADO.NET

How can I handle the user entering single quotes like in

Bob's mini mart?

If I use command objects will this no longer be an issue?

I guess that would mean no simple adhoc SQL statements right?

like SELECT name from WHATEVER

would need a command object with

"SELECT @NAME, etc.
and then params

is this the way to solve the problem?

Thanks,

Shane

Nov 18 '05 #1
5 1806
Use command objects. The single quote "problem" will go away.

Don't use ad-hoc SQL statements that are concatenated from user input. You
are leaving your application vulnerable to a SQL injection attack.

Colin

"SStory" <Th*******@TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
news:Oz**************@TK2MSFTNGP09.phx.gbl...
How can I handle the user entering single quotes like in

Bob's mini mart?

If I use command objects will this no longer be an issue?

I guess that would mean no simple adhoc SQL statements right?

like SELECT name from WHATEVER

would need a command object with

"SELECT @NAME, etc.
and then params

is this the way to solve the problem?

Thanks,

Shane

Nov 18 '05 #2
Yes, use parameter objects.

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"SStory" <Th*******@TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
news:Oz**************@TK2MSFTNGP09.phx.gbl...
How can I handle the user entering single quotes like in

Bob's mini mart?

If I use command objects will this no longer be an issue?

I guess that would mean no simple adhoc SQL statements right?

like SELECT name from WHATEVER

would need a command object with

"SELECT @NAME, etc.
and then params

is this the way to solve the problem?

Thanks,

Shane

Nov 18 '05 #3
OK. That is what I had thought.

So to do that in command ojbects I do something like.

dim cmd as new sqlCommand("SELECT Name,Address,City FROM tblPerson WHERE
State=@State",conn)

is that right? And then just add @State as a param?

I don't need to do the same for the output params right? LIke Name, Address
and City--or do I have to do them the same?

Shane

"Steve C. Orr [MVP, MCSD]" <St***@Orr.net> wrote in message
news:Og**************@TK2MSFTNGP11.phx.gbl...
Yes, use parameter objects.

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"SStory" <Th*******@TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
news:Oz**************@TK2MSFTNGP09.phx.gbl...
How can I handle the user entering single quotes like in

Bob's mini mart?

If I use command objects will this no longer be an issue?

I guess that would mean no simple adhoc SQL statements right?

like SELECT name from WHATEVER

would need a command object with

"SELECT @NAME, etc.
and then params

is this the way to solve the problem?

Thanks,

Shane


Nov 18 '05 #4
Basically correct.

Output parameters would need to be declared, but in your example, you
seem to be returning a recordset, not output parameters. This would
return a .NET dataset with multiple records which you could either
bind to an ASP control or use in whatever method you deem prudent :)

On Sun, 6 Jun 2004 09:49:15 -0500, "SStory"
<Th*******@TAKEOUTTHISSPAMBUSTERsofthome.net> wrote:
OK. That is what I had thought.

So to do that in command ojbects I do something like.

dim cmd as new sqlCommand("SELECT Name,Address,City FROM tblPerson WHERE
State=@State",conn)

is that right? And then just add @State as a param?

I don't need to do the same for the output params right? LIke Name, Address
and City--or do I have to do them the same?

Shane

"Steve C. Orr [MVP, MCSD]" <St***@Orr.net> wrote in message
news:Og**************@TK2MSFTNGP11.phx.gbl...
Yes, use parameter objects.

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"SStory" <Th*******@TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
news:Oz**************@TK2MSFTNGP09.phx.gbl...
> How can I handle the user entering single quotes like in
>
> Bob's mini mart?
>
> If I use command objects will this no longer be an issue?
>
> I guess that would mean no simple adhoc SQL statements right?
>
> like SELECT name from WHATEVER
>
> would need a command object with
>
> "SELECT @NAME, etc.
> and then params
>
> is this the way to solve the problem?
>
> Thanks,
>
> Shane
>
>
>



Nov 18 '05 #5
Thanks Dan,

Will try to go through and fix offending code.

Shane

"Dan Brussee" <db******@nc.rr.com> wrote in message
news:7v********************************@4ax.com...
Basically correct.

Output parameters would need to be declared, but in your example, you
seem to be returning a recordset, not output parameters. This would
return a .NET dataset with multiple records which you could either
bind to an ASP control or use in whatever method you deem prudent :)

On Sun, 6 Jun 2004 09:49:15 -0500, "SStory"
<Th*******@TAKEOUTTHISSPAMBUSTERsofthome.net> wrote:
OK. That is what I had thought.

So to do that in command ojbects I do something like.

dim cmd as new sqlCommand("SELECT Name,Address,City FROM tblPerson WHERE
State=@State",conn)

is that right? And then just add @State as a param?

I don't need to do the same for the output params right? LIke Name, Addressand City--or do I have to do them the same?

Shane

"Steve C. Orr [MVP, MCSD]" <St***@Orr.net> wrote in message
news:Og**************@TK2MSFTNGP11.phx.gbl...
Yes, use parameter objects.

--
I hope this helps,
Steve C. Orr, MCSD, MVP
http://Steve.Orr.net
"SStory" <Th*******@TAKEOUTTHISSPAMBUSTERsofthome.net> wrote in message
news:Oz**************@TK2MSFTNGP09.phx.gbl...
> How can I handle the user entering single quotes like in
>
> Bob's mini mart?
>
> If I use command objects will this no longer be an issue?
>
> I guess that would mean no simple adhoc SQL statements right?
>
> like SELECT name from WHATEVER
>
> would need a command object with
>
> "SELECT @NAME, etc.
> and then params
>
> is this the way to solve the problem?
>
> Thanks,
>
> Shane
>
>
>

Nov 18 '05 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

5
by: sinister | last post by:
The examples in the online manual all seem to use double quotes, e.g. at http://us3.php.net/preg_replace Why? (The behavior is different with single quotes, and presumably simpler to...
12
by: Joshua Beall | last post by:
Hi All, I have heard other people say that PHP can parse double quoted strings (e.g., "Hello, World") faster than it can parse single quoted strings (e.g., 'Hello, World'). This seems backwards...
9
by: Dynamo | last post by:
Hi, I am still confused as when to use single or double quotes. This works: echo "<td>" . $row . "</td>"; and this does not
7
by: Brian van den Broek | last post by:
Hi all, I'm posting partly so my problem and solution might be more easily found by google, and partly out of mere curiosity. I've just spent a frustrating bit of time figuring out why pydoc...
4
by: sankofa | last post by:
hi, i can't seem to be able to escape my single quote properly... is it even possible in javascript? this is a portion of my code.. var DLEWIS="Pastor Lewis"; .... Sermon is a yser-defined...
4
by: Chuck Haeberle | last post by:
I have an interesting regular expression challenge for someone more experienced with them than I for a data layer class... I need an expression to search a SQL statement (any type, SELECT INSERT...
3
by: Solution Seeker | last post by:
I want to Store the String value with Single Quotes in the Field of Database where if i try to Store the String value with Single Quotes (as it is) then it is throwing the error as SQL String...
15
by: bill | last post by:
I am trying to write clean code but keep having trouble deciding when to quote an array index and when not to. sometimes when I quote an array index inside of double quotes I get an error about...
2
by: Reporter | last post by:
I got the following example from http://www.evolt.org/article/User_Friendly_Forms_in_PHP/20/60144/index.html : echo '<tr><td>First name:</td><td><input type="text" name="first_name"...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.