Escape ( ' ） symbol in Textbox for asp.net c#

Question

Currently I learning the asp.net in c#, I found that if I allow users to input some value in Textbox field, the (') simbol will cause the sql statement throw error

the good practices to avoid this kind of error is to block the symbol using javascript like "event.keyCode!=222" or replace it by other symbol?

If you do not want ' symbol to be part of data then you can use validation but if it could be part of data then you can use parameterized query, it will also protect you by sql inject. Read more about using parameter in sql here, http://stackoverflow.com/questions/7505808/why-do-we-always-prefer-using-parameters-in-sql-statements — Adil, May 31 '16 at 04:56
**Do *not* "escape" the character** - this is just hiding the problem. Use the appropriate SQL placeholder / parameterized query. In C# this usually involves SqlParameter, as shown in the linked answer. (Likewise, when using the value, ensure that the appropriate usage/encoding method for the *given context*.) — user2864740, May 31 '16 at 05:03
Thanks everyone! So for the conclusion, the parameterized query would be the best practices to solve this issues? — 120196, May 31 '16 at 06:54

score 0 · Answer 1 · answered May 31 '16 at 04:54

If you are using an ORM (such as entity framework) the (') symbol should not be an issue. In any case you should handle special characters on the server side (C#) and not the client side (JS) , otherwise your code will be vulnerable to SQL injection and other nasty pests.

score 0 · Answer 2 · edited May 23 '17 at 10:29

0

It's not only the ' character, there can be more. Check this Which characters are actually capable of causing SQL injection in mysql for better understanding.

And you should do the filtering on server side, do not rely on client side JavaScript as that can be skipped.

Better option is to use a stored procedure, and pass the value submitted by user through a parameter, instead of dynamically constructing SQL strings. That could reduce the risk of SQL injection.

edited May 23 '17 at 10:29

Community

1
1

answered May 31 '16 at 04:56

BuddhiP

6,231
5
36
56

Thanks！ I also think the js is not a good practice because user can direct copy paste those symbol. – 120196 May 31 '16 at 06:59

score 0 · Answer 3 · answered May 31 '16 at 05:12

If you want to prevent SQL injection by escaping query string, either use methods which convert apostrophes and special symbols into plain text on server-side, or use parameterized queries with stored procedures.

You can perform Regex.Replace to escape all apostrophes and double minus (comment sign) to plain query string on server side similar to this:

String yourEscapePattern = "[escaped patterns]";
String replacementString = "[replacement here]";
Regex reg = new Regex(yourEscapePattern);
String query = Regex.Replace(input, replacementString);

Parameterized query example:

using (var command = new SqlCommand("[stored procedure name]", connection))
{
    command.CommandType = CommandType.StoredProcedure;
    command.Parameters.Add("@Parameter1", SqlDbType).Value = Value1;
    // other parameters here

    command.ExecuteNonQuery(); // or ExecuteReader
}

The regex-replace is not needed, Using parameters to pass values (instead of building the full query yourself) is enough to prevent sql-injection / breaking on quotes — Hans Keﬆing, May 31 '16 at 06:44

score 0 · Answer 4 · answered May 31 '16 at 06:39

0

you can use

HttpUtility.UrlEncode("some Text'(");

befor saving your text to datebase

answered May 31 '16 at 06:39

Muhammad Saqib

114
10

Thanks, or u mean --> ('some Text'("); ? – 120196 May 31 '16 at 06:57
"sometext" is your string entered by u user in that textbox you can use some thing like that HttpUtility.UrlEncode(textbox1.text); – Muhammad Saqib May 31 '16 at 07:01

Escape ( ' ） symbol in Textbox for asp.net c#

4 Answers4

Linked