0

I just found out that if i write

select * from tbl where name like @foo

Then add foo as a parameter with the value \a (user data) that it will not escape it correctly. What the hell!?! It wants \\a. I can't help but feel i'm open to a sql inject even though i am using parameters.

How do I escape the user data in variables correctly? I'm using mysql on C# with using dapper.net

  • You might want to look at [this answer](http://stackoverflow.com/questions/5962117/is-there-a-way-to-call-a-stored-procedure-with-dapper) to see if it's what you're trying to do. – tadman Nov 28 '12 at 21:06
  • @tadman: Nah I don't like stored procedures –  Nov 28 '12 at 21:07
  • That seems to be talking about dynamic parameters, which is sometimes pretty much the same thing depending on your ORM. There's nothing to "like" about stored procedures. Just as you're supposed to eat your vegetables, follow best practices. – tadman Nov 28 '12 at 21:10
  • @tadman: Alright but I still have no idea how to escape user data –  Nov 28 '12 at 21:12

1 Answers1

0

For like statements I add in this

.Replace(@"\", @"\\").Replace(@"_", @"\_").Replace(@"%", @"\%")