| Groups | Blog | Home |
dotnet ado.net : Single Quote In A Text Field
In my efforts at learning ADO.NET I have discovered that it balks at text fields with single quote marks embedded. The field in question comprises notes that can contain anything, it is stored as a memo field in Access. I tried to wrap the whole field in double quotes without success, it still balked at the first single quote and broke my insert statement. Is there an easy way to handle this? If not I'll have to write a routine to strip out single quotes before saving the field. --
Hello Jeff,
Thanks for Miha's reply. In ADO.Net world, OleDbParameter is invited to address such issue. We suggest you use parametrised SQL statements. By this way, we also could avoid SQL injection attacks. For example: //init System.Data.OleDb.OleDbConnection cn = new System.Data.OleDb.OleDbConnection(); cn.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\test.mdb"; System.Data.OleDb.OleDbCommand cmd=new System.Data.OleDb.OleDbCommand(); cmd.Connection = cn; cmd.CommandText="insert into Table1(field3) values (?)"; cmd.CommandType=System.Data.CommandType.Text; cmd.Parameters.Add("@field3", System.Data.OleDb.OleDbType.VarWChar); //insert row cmd.Parameters["@field3"].Value = "test1'test2\"test3"; cn.Open(); cmd.ExecuteNonQuery(); cn.Close(); Hope this help. Please feel free to update here, if you have anything unclear. We are glad to assist you. Best regards, Wen Yuan Microsoft Online Community Support ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Use parametrised sql statements and thus avoid sql injection attacks at the
same time. -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/ [quoted text, click to view] "Jeff Gaines" <whitedragon@newsgroups.nospam> wrote in message
news:xn0fb1nxk40tla2000@msnews.microsoft.com... > > In my efforts at learning ADO.NET I have discovered that it balks at text > fields with single quote marks embedded. The field in question comprises > notes that can contain anything, it is stored as a memo field in Access. > > I tried to wrap the whole field in double quotes without success, it still > balked at the first single quote and broke my insert statement. > > Is there an easy way to handle this? If not I'll have to write a routine > to strip out single quotes before saving the field. > > -- > Jeff Gaines
On 10/09/2007 in message <e2VMxm$8HHA.600@TK2MSFTNGP05.phx.gbl> Miha
[quoted text, click to view] Markic wrote: >Use parametrised sql statements and thus avoid sql injection attacks at >the same time. Many thanks, Miha :-) I am very new to this so I had to look some of the words up but I have amended the app and it works a treat now! --
On 11/09/2007 in message <0elJHvF9HHA.6140@TK2MSFTNGHUB02.phx.gbl> WenYuan
[quoted text, click to view] Wang [MSFT] wrote: >Hello Jeff, >Thanks for Miha's reply. Yes indeed :-) [quoted text, click to view] > [snipped]>In ADO.Net world, OleDbParameter is invited to address such issue. >We suggest you use parametrised SQL statements. >By this way, we also could avoid SQL injection attacks. > [quoted text, click to view] >Hope this help. Please feel free to update here, if you have anything >unclear. We are glad to assist you. It certainly helps enormously :-) I had 2 problems. The first is that the app I chose to convert to ADO.Net uses a couple of tables each with lots of fields, many of which aren't stored but calculated. I know it's a minimal app to the professionals but it was the wrong app to choose for this exercise. Anyway it's pretty well there now. The second was a real brain fade. Having created functions to create parameterised insert/update strings I decided they looked the same and could be combined. Of course they are not the same but it took me a couple of hours to realise that. I am back on track now. I hope the old adage about learning from mistakes is true :-) --
Ah, I doubt it. SQL Server and Oracle that support multiple operations are
most vulnerable--SQL CE does not and is not subject to the same type of attacks. -- ____________________________________ William (Bill) Vaughn Author, Mentor, Consultant, Dad, Grandpa Microsoft MVP INETA Speaker www.betav.com www.betav.com/blog/billva Please reply only to the newsgroup so that others can benefit. This posting is provided "AS IS" with no warranties, and confers no rights. __________________________________ Visit www.hitchhikerguides.net to get more information on my latest book: Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition) and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook) ----------------------------------------------------------------------------------------------------------------------- [quoted text, click to view] "Miha Markic" <miha at rthand com> wrote in message
news:%235KTPCL9HHA.1188@TK2MSFTNGP04.phx.gbl... > Every database is subject to SQL injection attacks (as long as it supports > SQL of course) when not used correctly. > -- > Miha Markic [MVP C#, INETA Country Leader for Slovenia] > RightHand .NET consulting & development www.rthand.com > Blog: http://cs.rthand.com/blogs/blog_with_righthand/ > > "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message > news:15030F4B-0931-4E85-949A-DE199E4E1886@microsoft.com... >> Hi WenYuan, >> >>> By this way, we also could avoid SQL injection attacks. >> >> In an Access database? AFAIK it can not be reached ofline beside by a >> webservice or something like that. >> >> Although it is of course the way to go. >> >> No need to respond. >> >> :-) >> >> Cor >
Hi WenYuan,
[quoted text, click to view] > By this way, we also could avoid SQL injection attacks. In an Access database? AFAIK it can not be reached ofline beside by a webservice or something like that. Although it is of course the way to go. No need to respond. :-) Cor
Every database is subject to SQL injection attacks (as long as it supports
SQL of course) when not used correctly. -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/ [quoted text, click to view] "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message
news:15030F4B-0931-4E85-949A-DE199E4E1886@microsoft.com... > Hi WenYuan, > >> By this way, we also could avoid SQL injection attacks. > > In an Access database? AFAIK it can not be reached ofline beside by a > webservice or something like that. > > Although it is of course the way to go. > > No need to respond. > > :-) > > Cor
Miha,
I am curious how you do that with an Access database. I assume that you don't mean attacks from your own desktop or inside the local Lan, where an Access database is normaly not used in a large organisation. An access database is as far as I know only referencable by using its destination by a phycical path and not an IP or DNS name? However if you know a method to reach it in another way, I would very much be pleased to see that. (Not by a webservice or something else that uses a phycical path of course, because that is only giving back result on methods). Cor "Miha Markic" <miha at rthand com> schreef in bericht news:%235KTPCL9HHA.1188@TK2MSFTNGP04.phx.gbl... [quoted text, click to view] > Every database is subject to SQL injection attacks (as long as it supports
> SQL of course) when not used correctly. > -- > Miha Markic [MVP C#, INETA Country Leader for Slovenia] > RightHand .NET consulting & development www.rthand.com > Blog: http://cs.rthand.com/blogs/blog_with_righthand/ > > "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message > news:15030F4B-0931-4E85-949A-DE199E4E1886@microsoft.com... >> Hi WenYuan, >> >>> By this way, we also could avoid SQL injection attacks. >> >> In an Access database? AFAIK it can not be reached ofline beside by a >> webservice or something like that. >> >> Although it is of course the way to go. >> >> No need to respond. >> >> :-) >> >> Cor >
The level of vulnerability may vary but I think we agree on the fact that
when there is SQL than sql injection is possible. -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/ [quoted text, click to view] "William Vaughn" <billvaNoSPAM@betav.com> wrote in message
news:O6z$sMO9HHA.1212@TK2MSFTNGP05.phx.gbl... > Ah, I doubt it. SQL Server and Oracle that support multiple operations are > most vulnerable--SQL CE does not and is not subject to the same type of > attacks.
Cor,
I think you are confusing SQL injection attacks with something else. -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com
It's truly a great news. I think you have learned much from mistakes. If there is any other issue blocks you, feel free to post it in newsgroup again. You are always welcome. :-) Good Luck! Wen Yuan Microsoft Online Community Support ================================================== This posting is provided "AS IS" with no warranties, and confers no rights.
Miha,
[quoted text, click to view] > I think you are confusing SQL injection attacks with something else. I will be pleased with your explanation about it?Cor "Miha Markic" <miha at rthand com> schreef in bericht news:uzwoiFS9HHA.3548@TK2MSFTNGP06.phx.gbl... [quoted text, click to view] > Cor,
> > I think you are confusing SQL injection attacks with something else. > > -- > Miha Markic [MVP C#, INETA Country Leader for Slovenia] > RightHand .NET consulting & development www.rthand.com > Blog: http://cs.rthand.com/blogs/blog_with_righthand/
Wikipedia is a good start:
http://en.wikipedia.org/wiki/Sql_injection -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/ [quoted text, click to view] "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message
news:64A81481-734C-48FE-B263-B69AC335494C@microsoft.com... > Miha, > >> I think you are confusing SQL injection attacks with something else. > I will be pleased with your explanation about it? > > Cor > > "Miha Markic" <miha at rthand com> schreef in bericht > news:uzwoiFS9HHA.3548@TK2MSFTNGP06.phx.gbl... >> Cor, >> >> I think you are confusing SQL injection attacks with something else. >> >> -- >> Miha Markic [MVP C#, INETA Country Leader for Slovenia] >> RightHand .NET consulting & development www.rthand.com >> Blog: http://cs.rthand.com/blogs/blog_with_righthand/ >
Miha,
I know this page, but how you do this without InterNet? Cor "Miha Markic" <miha at rthand com> schreef in bericht news:%230me$2X9HHA.5684@TK2MSFTNGP05.phx.gbl... [quoted text, click to view] > Wikipedia is a good start:
> http://en.wikipedia.org/wiki/Sql_injection > > -- > Miha Markic [MVP C#, INETA Country Leader for Slovenia] > RightHand .NET consulting & development www.rthand.com > Blog: http://cs.rthand.com/blogs/blog_with_righthand/ > > "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message > news:64A81481-734C-48FE-B263-B69AC335494C@microsoft.com... >> Miha, >> >>> I think you are confusing SQL injection attacks with something else. >> I will be pleased with your explanation about it? >> >> Cor >> >> "Miha Markic" <miha at rthand com> schreef in bericht >> news:uzwoiFS9HHA.3548@TK2MSFTNGP06.phx.gbl... >>> Cor, >>> >>> I think you are confusing SQL injection attacks with something else. >>> >>> -- >>> Miha Markic [MVP C#, INETA Country Leader for Slovenia] >>> RightHand .NET consulting & development www.rthand.com >>> Blog: http://cs.rthand.com/blogs/blog_with_righthand/ >> >
[quoted text, click to view] "Cor Ligthert[MVP]" <notmyfirstname@planet.nl> wrote in message news:524164AB-466A-4F7C-BD80-A57B0F33C73B@microsoft.com... > Miha, > > I know this page, but how you do this without InterNet? Internet has nothing to do with sql injection attacks. -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/
If you look at the examples in Wikipedia, all of them assume that the SQL
engine can execute more than one operation per statement. JET (and SQLCe) cannot. -- ____________________________________ William (Bill) Vaughn Author, Mentor, Consultant, Dad, Grandpa Microsoft MVP INETA Speaker www.betav.com www.betav.com/blog/billva Please reply only to the newsgroup so that others can benefit. This posting is provided "AS IS" with no warranties, and confers no rights. __________________________________ Visit www.hitchhikerguides.net to get more information on my latest book: Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition) and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook) ----------------------------------------------------------------------------------------------------------------------- [quoted text, click to view] "Miha Markic" <miha at rthand com> wrote in message
news:evWNAFS9HHA.4784@TK2MSFTNGP05.phx.gbl... > The level of vulnerability may vary but I think we agree on the fact that > when there is SQL than sql injection is possible. > > -- > Miha Markic [MVP C#, INETA Country Leader for Slovenia] > RightHand .NET consulting & development www.rthand.com > Blog: http://cs.rthand.com/blogs/blog_with_righthand/ > > "William Vaughn" <billvaNoSPAM@betav.com> wrote in message > news:O6z$sMO9HHA.1212@TK2MSFTNGP05.phx.gbl... >> Ah, I doubt it. SQL Server and Oracle that support multiple operations >> are most vulnerable--SQL CE does not and is not subject to the same type >> of attacks. >
You're right... since an UPDATE or INSERT could be perverted, that would
include any DBMS engine that accepts commands--SQL or not. -- ____________________________________ William (Bill) Vaughn Author, Mentor, Consultant, Dad, Grandpa Microsoft MVP INETA Speaker www.betav.com www.betav.com/blog/billva Please reply only to the newsgroup so that others can benefit. This posting is provided "AS IS" with no warranties, and confers no rights. __________________________________ Visit www.hitchhikerguides.net to get more information on my latest book: Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition) and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook) ----------------------------------------------------------------------------------------------------------------------- [quoted text, click to view] "Miha Markic" <miha at rthand com> wrote in message
news:uhCi9Dk9HHA.748@TK2MSFTNGP04.phx.gbl... > > "William Vaughn" <billvaNoSPAM@betav.com> wrote in message > news:O5FYCZj9HHA.5980@TK2MSFTNGP04.phx.gbl... >> If you look at the examples in Wikipedia, all of them assume that the SQL >> engine can execute more than one operation per statement. JET (and SQLCe) >> cannot. > > Do you really think that SQL injection is impossible without > multioperation execution? > -- > Miha Markic [MVP C#, INETA Country Leader for Slovenia] > RightHand .NET consulting & development www.rthand.com > Blog: http://cs.rthand.com/blogs/blog_with_righthand/
[quoted text, click to view] "William Vaughn" <billvaNoSPAM@betav.com> wrote in message news:O5FYCZj9HHA.5980@TK2MSFTNGP04.phx.gbl... > If you look at the examples in Wikipedia, all of them assume that the SQL > engine can execute more than one operation per statement. JET (and SQLCe) > cannot. Do you really think that SQL injection is impossible without multioperation execution? -- Miha Markic [MVP C#, INETA Country Leader for Slovenia] RightHand .NET consulting & development www.rthand.com Blog: http://cs.rthand.com/blogs/blog_with_righthand/
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
| home · blog · groups | Questions? Comments? Contact the dn |