OK. Again...How to handle single quotes in SQL Strings?? ASP.NET/ADO.NET

[SStory]

How can I handle the user entering single quotes like in

Bob's mini mart?

If I use command objects will this no longer be an issue?

I guess that would mean no simple adhoc SQL statements right?

like SELECT name from WHATEVER

would need a command object with

"SELECT @NAME, etc.
and then params

is this the way to solve the problem?

Thanks,

Shane

 

[Colin Young]

Use command objects. The single quote "problem" will go away.

Don't use ad-hoc SQL statements that are concatenated from user input. You
are leaving your application vulnerable to a SQL injection attack.

Colin

 

[Steve C. Orr [MVP, MCSD]]

Yes, use parameter objects.

 

[SStory]

OK. That is what I had thought.

So to do that in command ojbects I do something like.

dim cmd as new sqlCommand("SELECT Name,Address,City FROM tblPerson WHERE
State=@State",conn)

is that right? And then just add @State as a param?

I don't need to do the same for the output params right? LIke Name, Address
and City--or do I have to do them the same?

Shane

 

[Dan Brussee]

Basically correct.

Output parameters would need to be declared, but in your example, you
seem to be returning a recordset, not output parameters. This would
return a .NET dataset with multiple records which you could either
bind to an ASP control or use in whatever method you deem prudent

 

[SStory]

Thanks Dan,

Will try to go through and fix offending code.

Shane