Equivalent function of mysql_real_escape_string() in C#
5.00/5 (2 votes)
Implement function in C# to emulate functionality of mysql_real_escape_string() C API function.
Introduction
Implement function in C# to emulate functionality of mysql_real_escape_string() C API function.
Background
When writing application programs, any string that might contain any of these special characters must be properly escaped before the string is used as a data value in an SQL statement that is sent to the MySQL server.
MySQL Reference: Special Character Escape Sequences
Using the code
string SQL = string.Format("SELECT * FROM Users WHERE UserName='{0}' AND Password='{1}'", MySQLEscape(Username), MySQLEscape(Password));
MySqlCommand cmd = new MySqlCommand(SQL, this.connection);
private static string MySQLEscape(string str)
{
return Regex.Replace(str, @"[\x00'""\b\n\r\t\cZ\\%_]",
delegate(Match match)
{
string v = match.Value;
switch (v)
{
case "\x00": // ASCII NUL (0x00) character
return "\\0";
case "\b": // BACKSPACE character
return "\\b";
case "\n": // NEWLINE (linefeed) character
return "\\n";
case "\r": // CARRIAGE RETURN character
return "\\r";
case "\t": // TAB
return "\\t";
case "\u001A": // Ctrl-Z
return "\\Z";
default:
return "\\" + v;
}
});
}
Interesting
A straightforward, though error-prone, way to prevent SQL injections is to escape characters that have a special meaning in SQL.