Removing unwanted characters from SQL statement

**pressure** · Oct 23, 2006 07:15

It's been a long time since I've done this but I need somthing to remove unwanted characters from a text area during an insert SQL statement. I'm working on a home project and users may enter comma's or slashes that may cause the ASP.net page to throw an error.

Does c# have a StripSlashes function like PHP?

Thanks

**NightStalker-DNS** · Oct 23, 2006 08:02

Y can use the replace method. eg. stringValue.Replace("/","");

Just bare in mind that if u want to remove a "\" u need to do it like this:
stringValue.Replace("\\","");

I hope u come right. Good luck

**wwb_99** · Oct 23, 2006 09:02

^^^No, no no. You should not be manually removing those characters at all. You should be using parameterized statements and let ADO handle cleaning up unwanted characters.

Remember, only you can prevent sql injection.

**pufa** · Oct 23, 2006 16:28

As a "general" rule you should follow wwb99 advice...

"You should be using parameterized statements and let ADO handle cleaning up unwanted characters."

I've "bolded" his statement to enfase that you "should avoid using dynaminc sql statements" (and "should avoid using" should be read "do not use").

Any how for quick a "clean up" you can use the Regex.Escape(String) function.

"Escapes a minimal set of metacharacters (\, *, +, ?, |, {, [, (,), ^, $,.,#, and white space) by replacing them with their escape codes."

cheers,
Rui

**pressure** · Oct 23, 2006 16:55

Originally Posted by pufa

As a "general" rule you should follow wwb99 advice...

"You should be using parameterized statements and let ADO handle cleaning up unwanted characters."

I've "bolded" his statement to enfase that you "should avoid using dynaminc sql statements" (and "should avoid using" should be read "do not use").

Any how for quick a "clean up" you can use the Regex.Escape(String) function.

"Escapes a minimal set of metacharacters (\, *, +, ?, |, {, [, (,), ^, $,.,#, and white space) by replacing them with their escape codes."

cheers,
Rui

That's what I was looking for.

Thanks

**wwb_99** · Oct 23, 2006 17:14

No, it isn't. Parameterized statements are what you are looking for. Regex.Escape escapes regular expressions, not sql.

Now, sometimes you need dynamic sql. I have actually become a bigger and bigger fan of dynamically generating statements recently rather than binding myself to stored procedures.

But you should never ever ever be using string concatenation to put the values of parameters inside a sql statement. That should always, always be left to bound parameters. For both performance and security.

Why don't you post the code you are trying to escape things from and we will move it into a parameterized statement.

**pufa** · Oct 24, 2006 01:35

Originally Posted by wwb_99

But you should never ever ever be using string concatenation to put the values of parameters inside a sql statement. That should always, always be left to bound parameters. For both performance and security.

Exactly...
I still mix up this stuff...

**wwb_99** · Oct 24, 2006 09:07

No worries, I suspected that was what you meant.

**wwb_99** · Oct 24, 2006 09:40

Originally Posted by learningAlways

im geting confused witht hsi

Not exactly certain what the issue is, but the rule is very simple: if you ever find yourself thinking "gee, I need to escape this character for SQL purposes":

1) Slap yourself about the head.
2) Go and use a parameterized statement.

User Tag List

Thread: Removing unwanted characters from SQL statement

Thread Tools

Display

Removing unwanted characters from SQL statement

Bookmarks

Bookmarks

Posting Permissions