Sunday, 26 February 2017

c# - How to pass a single quote ( ' ) from user input to a stored procedure, avoiding SQL injection

Although replacing single quote with double quote before calling stored procedure should also work, something like this will also work:



@parameter = 'Test'' A''B''C' -- Test' A'B'C




But if you don't want to go this way, you can also try with



Use SET QUOTED_IDENTIFIER OFF


just before hitting the query that will also work, but remember we need QUOTED_IDENTIFIER ON for many situations.

No comments:

Post a Comment

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...