Reputation: 567
HttpUtility.UrlEncode to prevent SQL inject
was using HttpUtility.UrlEncode() to prevent SQL injection on where clauses. However some of the text being input has spaces and replacing them with %20 will stop the query. Is there a better alternative?
Upvotes: 0
Views: 667
Answers (2)
Reputation: 79
To prevent SQL Injection it is preferred to use SQL Parameters. When working with parameters SQL ensures that the parameters in the query are never executed.
Never construct queries by concatenating strings. Especially when it is input that is untrusted (Received from a user)!
In your case using c# you can take a look here: http://csharp-station.com/Tutorial/AdoDotNet/Lesson06
Upvotes: 1
Reputation: 1063328
Use parameters in your database queries rather than concatenating input. Job done. If that sounds like a lot of work - consider tools like dapper that make it easy:
string name = ...
int regionId = ...
var customers = connection.Query<Customer>(
"select * from Customers where Name = @name and RegionId = @regionId",
new { name, regionId }).AsList();
Upvotes: 1
Related Questions
- How to prevent a SQL Injection escaping strings
- asp.net MVC prevent sql injection
- MVC 4 SQL string injection Security
- prevent the sql injection through url
- Preventing SQL injection - but without parameters
- Using SqlParameter can avoid sql injection totally?
- How to avoid SQL injection
- prevent sql-injection in asp.net
- how to prevent SQL Injection in a asp.net website