Hi,
I am trying to replace every single quote with two "single quotes", prior to
sending the dynamic sql string to sql server.
( from a C# application)
(in this case I have to send a dynamic string, cannot do parametarized
queries)
Question is....
Is there any other character that sql server will interpret as a "single
quote"?
Any help is deeply appreciated.
Thanks
NalakaHi Nalaka,
Thank you for your post.
Based on my scope, I don't think SQL Server will interpret other character
as single quote.
Here I would like provide some information about passing dynamic string to
SQL Server:
When possible, reject input that contains the following characters.
Input character Meaning in Transact-SQL
; Query delimiter
' Character data string delimiter
-- Comment delimiter
/* ... */ Comment delimiters. Text between /* and
*/ is not evaluated by the server.
Xp_ Begins the name of catalog extended stored
procedures such as xp_cmdshell.
You may need to refer the following article:
SQL Injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
Hope this will be helpful!
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.|||Thanks Wei,
This is what I don't understand... theoretically if I replace every single
quote with two single quotes.. all is well.
But there is a ton of articles suggesting all these other precautions.....
Nalaka
"Wei Lu" <weilu@.online.microsoft.com> wrote in message
news:1Kfz6%23FhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> Hi Nalaka,
> Thank you for your post.
> Based on my scope, I don't think SQL Server will interpret other character
> as single quote.
> Here I would like provide some information about passing dynamic string to
> SQL Server:
> When possible, reject input that contains the following characters.
> Input character Meaning in Transact-SQL
> ; Query delimiter
> ' Character data string delimiter
> -- Comment delimiter
> /* ... */ Comment delimiters. Text between /* and
> */ is not evaluated by the server.
> Xp_ Begins the name of catalog extended
> stored
> procedures such as xp_cmdshell.
> You may need to refer the following article:
> SQL Injection
> http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> Hope this will be helpful!
> Sincerely,
> Wei Lu
> Microsoft Online Community Support
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||"Nalaka" <nalaka12@.nospam.nospam> wrote in message
news:%23CKpYJOhGHA.2188@.TK2MSFTNGP04.phx.gbl...
> Thanks Wei,
> This is what I don't understand... theoretically if I replace every single
> quote with two single quotes.. all is well.
> But there is a ton of articles suggesting all these other
precautions.....
>
Most likely their concern for SQL injection attacks.
Basically any place you accept input, if you're not careful, a bad user
could do something like:
Enter First Name: dummy; select * from sysobjects
And if your select query isn't written well, it now becomes something like:
Select id from table where fname=dummy; select * from sysobjects and now
your sysobjects table has been returned to the hacker.
> Nalaka
>
> "Wei Lu" <weilu@.online.microsoft.com> wrote in message
> news:1Kfz6%23FhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> > Hi Nalaka,
> >
> > Thank you for your post.
> >
> > Based on my scope, I don't think SQL Server will interpret other
character
> > as single quote.
> >
> > Here I would like provide some information about passing dynamic string
to
> > SQL Server:
> >
> > When possible, reject input that contains the following characters.
> >
> > Input character Meaning in Transact-SQL
> > ; Query delimiter
> >
> > ' Character data string delimiter
> >
> > -- Comment delimiter
> >
> > /* ... */ Comment delimiters. Text between /*
and
> > */ is not evaluated by the server.
> >
> > Xp_ Begins the name of catalog extended
> > stored
> > procedures such as xp_cmdshell.
> >
> > You may need to refer the following article:
> >
> > SQL Injection
> > http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> >
> > Hope this will be helpful!
> >
> > Sincerely,
> >
> > Wei Lu
> > Microsoft Online Community Support
> >
> > ==================================================> >
> > When responding to posts, please "Reply to Group" via your newsreader so
> > that others may learn and benefit from your issue.
> >
> > ==================================================> > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> >
>|||Hi Nalaka,
Thank you for the update.
As Greg mentioned, there is some secury issue you should considered in you
application code.
SQL injection should be avoid.
You could refer the article I posted in the previous post.
SQL Injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.|||Thanks...
"Wei Lu" <weilu@.online.microsoft.com> wrote in message
news:ugdnCtVhGHA.5608@.TK2MSFTNGXA01.phx.gbl...
> Hi Nalaka,
> Thank you for the update.
> As Greg mentioned, there is some secury issue you should considered in you
> application code.
> SQL injection should be avoid.
> You could refer the article I posted in the previous post.
> SQL Injection
> http://msdn2.microsoft.com/en-us/library/ms161953.aspx
> Sincerely,
> Wei Lu
> Microsoft Online Community Support
> ==================================================> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> ==================================================> This posting is provided "AS IS" with no warranties, and confers no
> rights.
>|||Hi Nalaka,
Glad to hear the information is helpful.
If you have any questions or concerns, please feel free to let me know.
Sincerely,
Wei Lu
Microsoft Online Community Support
==================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
==================================================This posting is provided "AS IS" with no warranties, and confers no rights.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment