{"id":1241,"date":"2014-05-06T16:02:08","date_gmt":"2014-05-06T16:02:08","guid":{"rendered":"https:\/\/ibex.tech\/cloud\/?p=1241"},"modified":"2022-02-17T07:14:03","modified_gmt":"2022-02-17T07:14:03","slug":"sanitizing-queries","status":"publish","type":"post","link":"https:\/\/ibex.tech\/cloud\/sql-server\/queries-microsoft-sql-server\/select-statements\/sanitizing-queries","title":{"rendered":"Sanitizing Queries"},"content":{"rendered":"

\nUse parameter based queries instead of trying to sanitize strings – its much safer and easier.\n<\/p>\n

\nGood resources:\n<\/p>\n

\nhttp:\/\/stackoverflow.com\/questions\/249567\/algorithm-to-avoid-sql-injection-on-mssql-server-from-c-sharp-code<\/a>\n<\/p>\n

\nC++ .Net example of a parameter based query
\n<\/h4>\n
\r\n\r\n\tSqlConnection1->Open();\r\n\tSqlClient::SqlDataAdapter ^SqlDataAdaptor1 = gcnew SqlClient::SqlDataAdapter();\r\n\tSqlDataAdaptor1->MissingSchemaAction = MissingSchemaAction::AddWithKey;\r\n\tDataSet ^DataSet1 = gcnew DataSet();\r\n\tSqlClient::SqlCommand ^SqlCommand1 = gcnew SqlClient::SqlCommand();\r\n\tSqlCommand1->Connection = SqlConnection1;\r\n\tSqlClient::SqlCommandBuilder ^CmdBuilder1 = gcnew SqlClient::SqlCommandBuilder();\r\n\tCmdBuilder1->DataAdapter = SqlDataAdaptor1;\r\n\r\n\t\/\/----- GET TABLE -----\r\n\tSqlCommand1->CommandText = "SELECT * FROM MyTable WHERE MyColumnName = @Param1";\r\n\tSqlCommand1->Parameters->AddWithValue("@Param1", SomeVariableValue);\r\n\r\n\tSqlDataAdaptor1->SelectCommand = SqlCommand1;\r\n\tSqlDataAdaptor1->Fill(DataSet1, "MyTable");\r\n\tDataTable ^Table1 = DataSet1->Tables[\"MyTable\"];\r\n\r\n\t\/\/----- READ ROWS -----\r\n\tif (Table1->Rows->Count)\r\n<\/code><\/pre>\n
\nThese are the important lines:
\n<\/h5>\n
\r\n\r\n\tSqlCommand1->CommandText = "SELECT * FROM MyTable WHERE MyColumnName = @Param1";\r\n\tSqlCommand1->Parameters->AddWithValue("@Param1", SomeVariableValue);\r\n<\/code><\/pre>\n
\nThere is no need to add single quotes around string etc parameters in the Command Text, this is fine:\n<\/p>\n
\r\n\r\n\tSqlCommand1->CommandText = "SELECT * FROM MyTable WHERE MyColumnName = @Param1";\r\n\tSqlCommand1->Parameters->AddWithValue("@Param1", SomeString);\r\n<\/code><\/pre>\n
\n <\/p>\n","protected":false},"excerpt":{"rendered":"
Use parameter based queries instead of trying to sanitize strings – its much safer and easier. Good resources: http:\/\/stackoverflow.com\/questions\/249567\/algorithm-to-avoid-sql-injection-on-mssql-server-from-c-sharp-code C++ .Net example of a parameter based query SqlConnection1->Open(); SqlClient::SqlDataAdapter ^SqlDataAdaptor1 = gcnew SqlClient::SqlDataAdapter(); SqlDataAdaptor1->MissingSchemaAction = MissingSchemaAction::AddWithKey; DataSet ^DataSet1 = gcnew DataSet(); SqlClient::SqlCommand ^SqlCommand1 = gcnew SqlClient::SqlCommand(); SqlCommand1->Connection = SqlConnection1; SqlClient::SqlCommandBuilder ^CmdBuilder1 = gcnew SqlClient::SqlCommandBuilder(); CmdBuilder1->DataAdapter […]<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[124,6],"tags":[],"class_list":["post-1241","post","type-post","status-publish","format-standard","hentry","category-queries-microsoft-sql-server","category-select-statements"],"_links":{"self":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/1241","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/comments?post=1241"}],"version-history":[{"count":3,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/1241\/revisions"}],"predecessor-version":[{"id":1260,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/posts\/1241\/revisions\/1260"}],"wp:attachment":[{"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/media?parent=1241"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/categories?post=1241"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ibex.tech\/cloud\/wp-json\/wp\/v2\/tags?post=1241"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}