Re: Apostrophe in SQL string
From: Robbe Morris (info_at_turnkeytools.com)
Date: 02/07/05
- Next message: User: "Re: Apostrophe in SQL string"
- Previous message: Rudy: "How to control a login?"
- In reply to: Angel Saenz-Badillos[MS]: "Re: Apostrophe in SQL string"
- Next in thread: User: "Re: Apostrophe in SQL string"
- Reply: User: "Re: Apostrophe in SQL string"
- Messages sorted by: [ date ] [ thread ]
Date: Sun, 6 Feb 2005 22:03:14 -0500
I agree with the poster below about "never" doing this.
For a variety of reasons, you have just opened up a major
security hole in your application even if you successfully
convert the apostrophes. You never know which "smart guy"
will start playing with your application just to prove how smart
they are and how dumb you are. You'd be surprised at the
number of "second cousins" that employees let play with
their work software/web sites.
The security hole you open up with dynamic sql strings would
be a cake-walk for any 12 year old who has an ounce of sense
about programming.
Is this the person you want to introduce to your boss as the
one who crashed your app or more likely deleted your data?
My intent is not to hurt your feelings, abuse you, or talk down
to you. Just to give a wake up call to someone I'm sure works
their tail off to build great software. I'd hate to see you get
embarrased.
I understand some applications may need to have different
update or insert statements for different situations. In these
cases, you could include an extra parameter in your
stored procedure that dictates which statements to process.
Include all possible input parameters and ensure that those
that are optional can be set as null or default values if they
aren't passed in.
-- 2005 Microsoft MVP C# Robbe Morris http://www.masterado.net http://www.mastervb.net "Angel Saenz-Badillos[MS]" <angelsa@online.microsoft.com> wrote in message news:uEeUnIjCFHA.2156@TK2MSFTNGP10.phx.gbl... > Miha, > I wonder the same thing, I guess the answer is that we have not been able > to > come up with a good solution in this space. Do you have any suggestions? I > would be happy to pass them on. > > -- > Angel Saenz-Badillos [MS] Managed Providers > This posting is provided "AS IS", with no warranties, and confers no > rights.Please do not send email directly to this alias. > This alias is for newsgroup purposes only. > I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/ > > > > > "Miha Markic [MVP C#]" <miha at rthand com> wrote in message > news:e0O4TNKBFHA.1992@TK2MSFTNGP10.phx.gbl... >> Hi Angel, >> >> I hope you have this answer in "favorites answers" as it will have to be >> repeated many times :-) >> OTOH, I can imagine a scenario where you might have to pass in a > dynamically >> built WHERE clause instead of parameters: >> IN clause is a very tempting candidate - when there is too many > parameters. >> There are workarounds, but they are all "not that easy" to employ. >> >> As this is very annoying (dealing with parameter lists that is) I can >> only >> wonder why there is (still) no support for parameter lists even in Yukon. >> Can you shed some light on this? >> >> -- >> Miha Markic [MVP C#] - RightHand .NET consulting & development >> SLODUG - Slovene Developer Users Group >> www.rthand.com >> >> "Angel Saenz-Badillos[MS]" <angelsa@online.microsoft.com> wrote in >> message >> news:un$9dGKBFHA.1564@TK2MSFTNGP09.phx.gbl... >> > This just cannot be repeated enough times. >> > DO NOT pass in customer data directly into a Sql Query. ALWAYS use >> > parameters. >> > >> > -- >> > Angel Saenz-Badillos [MS] Managed Providers >> > This posting is provided "AS IS", with no warranties, and confers no >> > rights.Please do not send email directly to this alias. >> > This alias is for newsgroup purposes only. >> > I am now blogging about ADO.NET: http://weblogs.asp.net/angelsb/ >> > >> > >> > >> > >> > "Guest" <Guest@aew_nospam.com> wrote in message >> > news:eGBVebFBFHA.3336@TK2MSFTNGP11.phx.gbl... >> >> You've probably solved this by now. All you have to do is add another >> > apostrophe beside the one you'd like to store e.g. insert into table >> > XYZ >> > (Firstname) values ('D''Artienne'). >> >> >> >> So in the table the column Firstname stores the value D'Artienne. >> >> >> >> Cheers >> >> T >> >> >> >> >> >> > Hi, >> >> > >> >> > in my application I add personal information about customers to a >> > database >> >> > by sending a SQL string. Now, sometimes there are customers with > names >> > that >> >> > contain an apostrophe (like D'Artienne, etc.). Now, when I create a > SQL >> >> > string with such an apostrophe it gets malformatted (like: "insert > into >> >> > table1 (Firstname) values ('D'Artienne')" ). So, is there any way to >> > insert a >> >> > name that contains an apostrophe into a table by SQL? >> >> > >> >> > >> >> > Thanks a lot >> >> > peter >> >> >> >> User submitted from AEWNET (http://www.aewnet.com/) >> > >> > >> >> > >
- Next message: User: "Re: Apostrophe in SQL string"
- Previous message: Rudy: "How to control a login?"
- In reply to: Angel Saenz-Badillos[MS]: "Re: Apostrophe in SQL string"
- Next in thread: User: "Re: Apostrophe in SQL string"
- Reply: User: "Re: Apostrophe in SQL string"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
