Reputation: 1371
mysql_real_escape_string() in .NET Framework
i want to find a function in .NET framework to calls SQL-Server's library for escaping really a value for sending to sql server, as mysql-real-escape-string() calls MySQL's library to do in PHP.
please propose a method that i can call it and it return escaped string via one round-trip to database, no need fo executing It's query
Is there it?
Upvotes: 1
Views: 810
Answers (1)
Reputation: 292735
Why do you want to do that? The correct way to send user input to the database is not to escape it, but to use query parameters.
using(var command = new SqlCommand("insert into MyTable(X, Y) values(@x, @y)", connection))
{
command.Parameters.Add("@x", textBoxX.Text);
command.Parameters.Add("@y", textBoxY.Text);
command.ExecuteNonQuery();
}
This provides better performance, because the query text is always the same so the query execution plan can be cached. This also protects you against SQL injection attacks. And it also allows you to ignore data formatting issues (e.g. how is a DateTime formatted in SQL-Server? How should you represent a number in SQL? and so on)
Upvotes: 3
Related Questions
- Escape special characters in MySQL using C# and ASP.Net
- Escaping values in SQL queries (C# with SQL connector)
- how do I use mysql real escape string?
- Escape MySQL PHP
- C# equivalent of php mysql_real_escape_string function
- php's mysql_real_escape_string doesn't work?
- Escape character being added when using mysql_real_escape_string
- How do i escape mysql strings in C# for use with LIKE
- Escaping Characters from MySQL from PHP Framework
- Escaping MySQL characters in .NET