Escape a SQL string programmatically?

Hot Topic

error execute sp_addlinkedserver in stored procedure
File permissions
Timeout Expired When Counting a Dimension
EnumAvailableSqlServers does not return all instances
Performance of multiple charts on a report (RenderStream issue with RS2000)
Express SP1 No version #
Wait for Recieve Fails to recieve message when called from .Net sqlClient
Error while restoring SQL7 data on SQL Express 2005
SSIS Tutorial - Package configuration problem
CreateSPs Sample Application Causes Exception.

SQL Server

SSIS and SQL Agent disaster (SQL Server 2005)
Exec SQL task with xml result fails when items are added.
SQL 2000 Publisher and SQL 2005 Suscriber
Access project form base on two tables with one-to-one relationship
Can you setup backup/restore functionality in SQL Express 2005 from a C# app?
killing sqlservr.exe from sqlclr code
.Net Framework for SSRS 2005
SQL Server CE and Memory Issue
Internet explorer script error
Sending Messages with ADO.NET 1.0

Escape a SQL string programmatically?

I need to construct a SQL statement programmatically and must escape strings included as values to follow SQL rules. For example:

command.CommandText = "INSERT INTO Table (strColumn) VALUES('" +
EscapeSQLChars(badChars) + "')";
command.ExecuteNonQuery();

Is there a built-in .Net command that does what I want EscapeSQLChars to do



Answer this question

Escape a SQL string programmatically?

  • VBwant2B

    Use paramitrimized queries. Then you never have to worry about format's or SQL Injection.
    It's olso better for the preformance, because you don't need to have to concatenate a string for example:


    string query = "SELECT * FROM Table1 WHERE ID = " + txtId.Text + " AND Name = \"" + "txtName.Text + "\"";
     


    No escape characters needed, you doesn't have to think about using a " or not etc.

    Parameters are like placeholders, you use them in Stored Procedures as well.

    A little example:


    // TODO: Set date variable.
    DateTime date = DateTime.Now;

    // Set query and parameters.
    const string query = "SELECT * FROM Table1 WHERE MyDate = @MyDate";
    SqlParameter pMyDate = new SqlParameter("@MyDate", SqlDbType.DateTime);
    pMyDate.Value = date;

    // Create connection and open it.
    SqlConnection dbConn = new SqlConnection("ConnectingString");
    dbConn.Open();

    try
    {
     using(SqlCommand dbCommand = new SqlCommand(query, dbConn))
     {
      // Add paramter to Command.
      dbCommand.Parameters.Add( pMyDate );

      // Execute the query and get results.
      SqlDataReader reader = dbCommand.ExecuteReader();

      try
      {
       // Walkthrough results.
       while(reader.Read())
       {
        // TODO: Do something with the data.
       }
      }
      finally
      {
       // Close reader.
       reader.Close();
      }
     }
    }
    finally
    {
     // Close connection.
     dbConn.Close();
    }
     



  • Escape a SQL string programmatically?
Answer this question