Click here to Skip to main content
15,214,049 members
Rate this:
Please Sign up or sign in to vote.
I already have Parameterized Stored Proc.

I want to know how I would prevent single quotes or sql statements like "select..." from being entered into a textbox.

Currently this is my process, I "edit top 200 rows of table" in sql and put in "select * From Table" and then that string will populate the textbox when I run the page. I want to replace "select" with a blank space or "hello".

What I have tried:

I have tried this textbox.ToLower().Replace("select","").Replace("'","''");
Posted
Updated 27-May-20 10:53am
v3
Comments
MadMyche 27-May-20 16:40pm
   
Unless your Stored Procedure is utilizing Dynamic SQL within it, there is not too much to worry about when Parameters are being used.
Would you care to share the SP code for review?
Rate this:
Please Sign up or sign in to vote.

Solution 1

In your code you should also use parameters. For example
...
using (SqlCommand cmd = new SqlCommand("SP_Name", sqlCon){
  ...
  cmd.Parameters.AddWithValue ("@param1", textField1.Text);
...
}


In theory, this is sufficient for preventing sql injection. If you want to take it further you could replace known keywords or check for specific ranges of values depending on your data.
   
Comments
Charrlay 27-May-20 16:28pm
   
Thank you for your quick response but I have also implemented this in my code.
ZurdoDev 27-May-20 16:45pm
   
Then that's all you need.
Maciej Los 28-May-20 6:09am
   
5ed!
Rate this:
Please Sign up or sign in to vote.

Solution 2

Quote:
I want to know how I would prevent single quotes or sql statements like "select..." from being entered into a textbox.

You don't need to, if stored proc is done properly. But you didn't show that stored proc.

A couple articles avout sql injection:
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
   
Comments
Charrlay 27-May-20 16:49pm
   
You do not need to see the sp. Assume it is done correctly.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100