SitePoint Sponsor

User Tag List

Results 1 to 9 of 9
  1. #1
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Removing unwanted characters from SQL statement

    It's been a long time since I've done this but I need somthing to remove unwanted characters from a text area during an insert SQL statement. I'm working on a home project and users may enter comma's or slashes that may cause the ASP.net page to throw an error.

    Does c# have a StripSlashes function like PHP?


    Thanks

  2. #2
    SitePoint Mentor NightStalker-DNS's Avatar
    Join Date
    Jul 2004
    Location
    Cape Town, South Africa
    Posts
    2,868
    Mentioned
    37 Post(s)
    Tagged
    0 Thread(s)
    Y can use the replace method. eg. stringValue.Replace("/","");

    Just bare in mind that if u want to remove a "\" u need to do it like this:
    stringValue.Replace("\\","");

    I hope u come right. Good luck

  3. #3
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    ^^^No, no no. You should not be manually removing those characters at all. You should be using parameterized statements and let ADO handle cleaning up unwanted characters.

    Remember, only you can prevent sql injection.

  4. #4
    SitePoint Guru pufa's Avatar
    Join Date
    Oct 2004
    Location
    Portugal, Lisboa
    Posts
    947
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    As a "general" rule you should follow wwb99 advice...

    "You should be using parameterized statements and let ADO handle cleaning up unwanted characters."

    I've "bolded" his statement to enfase that you "should avoid using dynaminc sql statements" (and "should avoid using" should be read "do not use").

    Any how for quick a "clean up" you can use the Regex.Escape(String) function.

    "Escapes a minimal set of metacharacters (\, *, +, ?, |, {, [, (,), ^, $,.,#, and white space) by replacing them with their escape codes."

    cheers,
    Rui
    Ciao, Rui...

  5. #5
    SitePoint Enthusiast
    Join Date
    Sep 2006
    Posts
    97
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by pufa
    As a "general" rule you should follow wwb99 advice...

    "You should be using parameterized statements and let ADO handle cleaning up unwanted characters."

    I've "bolded" his statement to enfase that you "should avoid using dynaminc sql statements" (and "should avoid using" should be read "do not use").

    Any how for quick a "clean up" you can use the Regex.Escape(String) function.

    "Escapes a minimal set of metacharacters (\, *, +, ?, |, {, [, (,), ^, $,.,#, and white space) by replacing them with their escape codes."

    cheers,
    Rui

    That's what I was looking for.



    Thanks

  6. #6
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    No, it isn't. Parameterized statements are what you are looking for. Regex.Escape escapes regular expressions, not sql.

    Now, sometimes you need dynamic sql. I have actually become a bigger and bigger fan of dynamically generating statements recently rather than binding myself to stored procedures.

    But you should never ever ever be using string concatenation to put the values of parameters inside a sql statement. That should always, always be left to bound parameters. For both performance and security.

    Why don't you post the code you are trying to escape things from and we will move it into a parameterized statement.

  7. #7
    SitePoint Guru pufa's Avatar
    Join Date
    Oct 2004
    Location
    Portugal, Lisboa
    Posts
    947
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by wwb_99
    But you should never ever ever be using string concatenation to put the values of parameters inside a sql statement. That should always, always be left to bound parameters. For both performance and security.
    Exactly...
    I still mix up this stuff...
    Ciao, Rui...

  8. #8
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    No worries, I suspected that was what you meant.

  9. #9
    SitePoint Author silver trophybronze trophy
    wwb_99's Avatar
    Join Date
    May 2003
    Location
    Washington, DC
    Posts
    10,576
    Mentioned
    4 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by learningAlways
    im geting confused witht hsi
    Not exactly certain what the issue is, but the rule is very simple: if you ever find yourself thinking "gee, I need to escape this character for SQL purposes":

    1) Slap yourself about the head.
    2) Go and use a parameterized statement.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •