SQL Query and special chars

Question

I'm having a problem when I try to make a INSERT query with a value that has '>', '%' and other special chars on a SQL Server Database...

The application if of course a ASP Net Web application (C#)

The way I'm preparing the insert query is:

string Query1 = 
    "UPDATE message SET message = '" + mymessage + "' " + 
    "WHERE  operationType = '" + value_operationType + "' " + 
    "AND    languageType = '" + value_languageType + "';";

Using IIS 7 I don't have this problem but using IIS 6 I have it.

Is there some configuration I should change on IIS 6?

Thanks!

Answer 1

Just to answer my question since a coleague was able to provide it, the solution was to add this single line on web.config:

<system.web>
   ...   
   <httpRuntime requestValidationMode="2.0" />
   ...
</system.web>

Thanks

Answer 2

Just so you know, this is a dangerous way to run a query as someone can drop your entire database if they know how, and it will probably happen one day!

In answer to your original question, you can HTML encode the values:

string htmlEncodedMessage = Server.HtmlEncode(mymessage);

string Query1 = 
    "UPDATE message SET message = '" + htmlEncodedMessage + "' " + 
    "WHERE  operationType = '" + value_operationType + "' " + 
    "AND    languageType = '" + value_languageType + "';";

I highly advise you look at other methods of database manipulation, such as LINQ to SQL.

Answer 3

Creating an SQL command like that can result in SQL injection - the correct approach is to use SQL parameters.

Have a look at: C# Update Table using SqlCommand.Parameters ASP.NET