How to prevent a SQL Injection escaping strings

c# .net sql-injection

You need to use parameters. Well dont have to but would be preferable.

SqlParameter[] myparm = new SqlParameter[2];
myparm[0] = new SqlParameter("@User",user);
myparm[1] = new SqlParameter("@Pass",password);

string comando = "SELECT * FROM ANAGRAFICA WHERE E_MAIL=@User AND PASSWORD_AZIENDA=@Pass";

Don't escape the strings to start with - use a parameterized query. Benefits of this over escaping:

  • The code is easier to read
  • You don't have to rely on getting the escaping correct
  • It's possible that there are performance improvements (DB-specific etc)
  • It separates "code" (the SQL) from the data, which is just good sense logically
  • It means you don't need to worry about data formats for things like numbers and dates/times.

The docs for SqlCommand.Parameters give a good, complete example.

Related

Why pass parameters to CSS and JavaScript link files like src="../cnt.js?ver=4.0"?
Custom Deserialization using Json.NET
Shift elements in array by index
The calling thread cannot access this object because a different thread owns it [duplicate]
What is causing NotSupportedException ("The given path's format is not supported") while using a valid path?
Android app crashing (fragment and xml onclick)
MySQL Errno 150
Why can't I assign a List<Derived> to a List<Base>?
is it possible to open Settings App using openURL?
SwiftUI: Broken explicit animations in NavigationView?
Multiple functions with the same name
Linq version of SQL "IN" statement