1

I just read this question when I wondered how complex I should build my queries.

Until now, I just built a String using StringBuilder, because in this application only select, update, insert and delete are used. Now I was also wondering about correct escaping, when I asked myself, why escaping is not just escaping those signs ' to this \'.

Is there a more complex behaviour behind escaping or would this be complete?

Thanks for input!

Community
  • 1
  • 1
Florian Müller
  • 7,448
  • 25
  • 78
  • 120

1 Answers1

2

String built SQL is a bad idea, as it makes you prone to SQL Injection attacks.

If you can put your queries into Stored Procedures and parameterize your input values.

For information on SQL Injection attacks and how to prevent them, see the Open Web Application Security Project site:

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Mathew Thompson
  • 55,877
  • 15
  • 127
  • 148
  • +1 It's also bad for performance, whereas query plans for stored procedures can easily be re-used. – Bridge Mar 30 '12 at 07:35