Request.form returns value with comma

Question

When I run this code:

string MySQL = "Select * From RegisterDatabase Where uName  = '" + Request.Form["username"] +"'";

It didn't work for me, so I tried to see what the problem was and it turns out there's a comma in MySQL.

Select * From RegisterDatabase Where uName  = 'Test,'

How do I fix this?

score 2 · Answer 1 · edited May 23 '17 at 11:46

Your code is prone to SQL Injection attack.

You want to parameterized query like this -

string query = "Select * From RegisterDatabase Where uName = @username";

// Remove "," from username
string username = Request.Form["username"].ToString().Replace(",", "");

MySqlCommand command = new MySqlCommand(query);
command.Parameters.AddWithValue("@username", username);

Or some use ?username instead of @username.

score -1 · Accepted Answer · answered Mar 22 '17 at 15:19

-1

Use following

Request.Form["username"].ToString().Replace(',',' ').Trim();

answered Mar 22 '17 at 15:19

Ricky007

127
8

Thanks a bunch ! =) – Taabkl Mar 22 '17 at 15:42

Request.form returns value with comma

2 Answers2