Re: Handling Strings in SQL server

About injection you are right but the string was 'O' and all this quoted so
was safe...
And are scenarios when stored procedures are a no no for example multi
database targeting.
But if just old plain SQL Server stored procedures is the most common
solution.

"William Vaughn [MVP]" wrote:

Ah, no. There are several issues here. First, if your application has
problems with the "O'Malley" issue (imbedded single quotes in strings), you
need to address the problem at the root. While it's possible to simply pass
two single quotes (O''Malley) this does not address the real problem.
Consider than if your code permits users to enter strings with embedded
single quotes, they can also introduce SQL injection attacks.

A real solution is to pass your string arguments to your SQL queries in ADO
or ADO.NET Parameter objects. The data providers know how to frame strings
so that imbedded single quotes are not an issue. This approach also deals
with a number of other issues--including SQL injection.

hth

--
__________________________________________________________________________
William R. Vaughn
President and Founder Beta V Corporation
Author, Mentor, Dad, Grandpa
Microsoft MVP
(425) 556-9205 (Pacific time)
Hitchhiker’s Guide to Visual Studio and SQL Server (7th Edition)
____________________________________________________________________________________________

"MrSmersh" <MrSmersh@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4E558D94-CD4D-44FC-A920-FBF9E3CF6448@xxxxxxxxxxxxxxxx
Your problem is the ', try \'. ' is the SQL string "enclosure" so you need
to
escape it.


"Bhakti via DotNetMonster.com" wrote:

how to pass a string having delimitors in sql server cause it is give an
error while saving.

for ge. Name="'D'Malo'"

for this string it is giving an error.
how to resolve this.

--
Message posted via DotNetMonster.com
http://www.dotnetmonster.com/Uwe/Forums.aspx/dotnet-ado-net/200805/1



.

Relevant Pages

  • Re: Need help with SQL injection proof recordset Update code
    ... the recent work attack used a standard method for injecting ... no way that the simple method of doubling all possible single quotes inside ... the only way that you can be hurt by SQL injection ... alphanumeric string values - that are to be enclosed between ...
    (microsoft.public.inetserver.asp.db)
  • Re: Problems with Delete Command
    ... The SQL could get fairly messy if you need to construct it in code, ... ContactID, and WebComID, and create your on-the-fly SQL on that saved query, ... to find the list of ContactIDs from the junction table, ... This is a style/readability thing: if you are going to use string ...
    (microsoft.public.access.tablesdbdesign)
  • Re: Best practice for setting ANSI Nulls and Quoted Identifiers?
    ... > is critical when single quotes are embedded in the string. ... But this is only an issue for dynamic SQL, which should be the excepion as ... ANSI standard behavior dictates that comparison of NULL's return NULL. ...
    (microsoft.public.sqlserver.programming)
  • Re: What is missing?
    ... You're trying to use single quotes to denote string values in SQL statements ... (which is correct in most RDBMS like SQL Server or Oracle), ...
    (microsoft.public.access.tablesdbdesign)
  • Re: Need help with Code Please!!!
    ... posted in response to my last post was some SQL, but this is not the SQL that ... the actual string that gets built at the end of the SQ1 build process. ... The message says Syntax error in query expression ... Dim rs As Recordset 'object ref to qryCompany\USFNumber ...
    (microsoft.public.access.formscoding)
Quantcast