String manipulations with SQL

#1

What is the best way to avoid string manipulations with SQL?

I have edit box control where database is opened for attacks through SQL
commands.

Something like this:
selectString = "SELECT FIRSTNAME, LASTNAME FROM xxxTable WHERE
FIRSTNAME='"+txtTextBox1.Text"'";

Furthermore I would like to avoid of using some characters like ;:,. etc.

If you know for some example I appreciate it. Thanks in advance...

#2

Use Parameterized Queries to avoid SQL Injection attacks.

"news.microsoft.com" <ablyplus (AT) yahoo (DOT) com> wrote

Quote:

What is the best way to avoid string manipulations with SQL?

I have edit box control where database is opened for attacks through SQL
commands.

Something like this:
selectString = "SELECT FIRSTNAME, LASTNAME FROM xxxTable WHERE
FIRSTNAME='"+txtTextBox1.Text"'";

Furthermore I would like to avoid of using some characters like ;:,. etc.

If you know for some example I appreciate it. Thanks in advance...

#3

Here's a great article to help avoid SQL attacks:

http://msdn.microsoft.com/msdnmag/issues/04/09/SQLInjection/default.aspx

Good luck!
PFD

news.microsoft.com wrote:

Quote:

What is the best way to avoid string manipulations with SQL?

I have edit box control where database is opened for attacks through
SQL
commands.

Something like this:
selectString = "SELECT FIRSTNAME, LASTNAME FROM xxxTable WHERE
FIRSTNAME='"+txtTextBox1.Text"'";

Furthermore I would like to avoid of using some characters like ;:,.
etc.

If you know for some example I appreciate it. Thanks in advance...

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

String manipulations with SQL

CSharp microsoft.public.dotnet.languages.csharp

String manipulations with SQL - 05-03-2005 , 01:18 PM

Re: String manipulations with SQL - 05-03-2005 , 01:21 PM

Re: String manipulations with SQL - 05-03-2005 , 01:27 PM