Reputation: 646
Handling single quotes in string sql query using variables
I am trying to make this statement safe from the insertion of special characters. How would I reformat the query to handle this, such as the variable type having the value “Women’s”? I know that parameterized queries are the way to go, however; that is not an option right now.
var sqlStatement = "SELECT DISTINCT DN FROM tbl1 WHERE Media LIKE "+ media + "% AND Type = " + type + "";
Upvotes: 1
Views: 1223
Answers (2)
Reputation: 5347
Your best resource here is going to be OWASP (check out the SQL Injection Prevention cheat sheet). I feel compelled to reiterate that your best bet would be to attempt solutions in the following order:
- Prepared Statements
- Stored Procedures
- Escaping User Supplied Input
If you're absolutely set on escaping queries for SQL Server you can refer to This MSDN Article, specifically the Escaping Input section. If you can further validate user input by implementing a White List, all the better!
Upvotes: 2
Reputation: 51504
I know that parameterized queries are the way to go, however; that is not an option right now.
Why is it "not an option right now"?
Is having your entire data compromised or destroyed "an option right now"? Would you care to post your URL?
If you don't parameterise your queries, there is no guaranteed foolproof method of preventing SQL injection.
Upvotes: -1
Related Questions
- Escape single quote in sql query c#
- use quotes in sql query node.js
- How do I escape a single quote in dynamic SQL
- Add double quotes around variable -Full text search sql server
- Escaping single quotes in MSSQL
- Unable to escape single quote
- Single quote escaping in SQL Server query - using parameterised value
- Single quote handling in a SQL string
- How to handle Single Quote
- Javascript string syntax to write SQL