Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Creating safe SQL statements as strings

Tags:

c#

.net

sql

concatenation

stringbuilder

I'm using C# and .NET 3.5. I need to generate and store some T-SQL insert statements which will be executed later on a remote server.

For example, I have an array of Employees:

new Employee[]
{
   new Employee { ID = 5, Name = "Frank Grimes" },
   new Employee { ID = 6, Name = "Tim O'Reilly" }
}

and I need to end up with an array of strings, like this:

"INSERT INTO Employees (id, name) VALUES (5, 'Frank Grimes')",
"INSERT INTO Employees (id, name) VALUES (6, 'Tim O''Reilly')"

I'm looking at some code that creates the insert statements with String.Format, but that doesn't feel right. I considered using SqlCommand (hoping to do something like this), but it doesn't offer a way to combine the command text with parameters.

Is it enough just to replace single quotes and build a string?

string.Format("INSERT INTO Employees (id, name) VALUES ({0}, '{1}')",
    employee.ID,
    replaceQuotes(employee.Name)
    );

What should I be concerned about when doing this? The source data is fairly safe, but I don't want to make too many assumptions.

EDIT: Just want to point out that in this case, I don't have a SqlConnection or any way to directly connect to SQL Server. This particular app needs to generate sql statements and queue them up to be executed somewhere else - otherwise I'd be using SqlCommand.Parameters.AddWithValue()

like image 341
Jason Anderson Avatar asked Nov 15 '08 23:11

Jason Anderson

2 Answers

Create your SqlCommand object like so:

SqlCommand cmd = new SqlCommand(
        "INSERT INTO Employees (id, name) VALUES (@id, @name)", conn);

SqlParameter param  = new SqlParameter();
param.ParameterName = "@id";
param.Value         = employee.ID;

cmd.Parameters.Add(param);

param  = new SqlParameter();
param.ParameterName = "@name";
param.Value         = employee.Name;

cmd.Parameters.Add(param);

cmd.ExecuteNonQuery();
like image 182
Mitch Wheat Avatar answered Oct 13 '22 08:10

Mitch Wheat

Use parameterised commands. Pass the parameters along to your remote server as well, and get that to call into SQL Server, still maintaining the distinction between the SQL itself and the parameter values.

As long as you never mix treat data as code, you should be okay.

like image 41
Jon Skeet Avatar answered Oct 13 '22 08:10

Jon Skeet
Sign in to Comment

Related questions

ASP.NET Identity: get all users in a role
Animating Gif in WPF
Page.ClientScript.RegisterStartupScript not showing messages for 2nd time
Delegates, Actions and Memory Allocations
Getting "Cannot access a closed file" errormessage when getting file from session
WPF DataTrigger to display and hide grid column XAML
Value cannot be null. Parameter name: extent
How to add a nested Web.config file?
Polymorphism and casting
C# Reflection - How to set field value for struct
assigning value from js code to mvc razor's hidden field
Why the increment of an integer on C# is executed after a function return its value?
How to use HttpClient without async
Response to preflight request doesn't pass access control check (Angular2)
Autofit Row Height of Merged Cell in EPPlus
Posting from AWS-API Gateway to Lambda
How to get return values and output values from a stored procedure with EF Core?
Copy files from Nuget package to output directory with MsBuild in .csproj and dotnet pack command
IHttpClientFactory in .NET Core 2.1 Console App references System.Net.Http
When to use ValueChanged and ValueExpression in Blazor?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!