WelcomeServicesPortfolioKnowledge BaseContact Us
 27 Seconds, Inc.


Knowledge base View Article

need hosting?

Need hosting? We use and love our host - CrystalTech.com!
Need hosting? We use and love our host - CrystalTech.com!

Text Disguise - CAPTCHA-image/Human Interactive Proof web services

National Holiday Dates and Bank Holiday Dates - web site that provides the dates of national and bank holidays for the United States, United Kingdom, Ireland and Scotland

Holiday Web Service - web services for programmers to provide the dates of national and bank holidays in their applications for the United States, United Kingdom, Ireland and Scotland

Our Family Heart - web site to help families communicate no matter where they are

What?! You haven't heard about the greatest remote controlled flyer to come out in years?! Checkout the FlyTech DragonFly now!

Safe SQL String Buildling in .NET

Summary: When you build a SQL string, you need to take apostrophes, dates and when updating data NULL values need to be accounted for.
 
Keywords: APOSTROPHE
DATABASE
DATE
INJECTION
INSERT
LIST
NUMBER
SAFE
SELECT
SQL
SQL INJECTION
STRING
UPDATE
Applicable Software: Active Server Pages .NET (ASP.NET)
Microsoft Access
Microsoft SQL Server
Visual Basic .NET (VB.NET)
 
Body:

When you build a SQL string, you need to take apostrophes, dates and when updating data NULL values need to be accounted for. Without doing this, your applications can be open to SQL Injection attacks which are embarrassing, at best and downright dangerous at worst. There is a classic ASP/VBScript version of this function available. 

Public Enum SqlDataType
	 Text
	 Number
	 [Date]
	 CommaDelimitedNumber
	 CommaDelimitedText
	 [Boolean]
End Enum

Public Shared Function SqlStringFieldValue(ByVal fieldValue As Object, dataType As SqlDataType) As String

	Dim ret As Boolean
	Dim out As String = ""
	Dim sFieldValue As String = ""
	Dim sTmp As String = ""
	Dim iCnt As Integer = 0
	Dim tmpNumber As Double = 0
	Dim tmpDate As DateTime
	Dim aTmp() As Object

	sFieldValue = CType(fieldValue, String)

	If Not sFieldValue Is Nothing AndAlso sFieldValue.Trim().Length > 0 Then
		Select Case dataType
			Case SqlDataType.Text
				out = "'" & sFieldValue.Trim().Replace("'", "''") & "'"

			Case SqlDataType.Number
				out = CType(Utilities.FixNumber(sFieldValue), String)

			Case SqlDataType.Date
				Try
					tmpDate = DateTime.Parse(sFieldValue)

					out = "'" & tmpDate.toString("yyyy-MM-dd hh:mm:ss") & "'"

				Catch x As FormatException
					'do nothing
				End Try

			Case SqlDataType.CommaDelimitedNumber
				aTmp = sFieldValue.Split(CType(",", Char))
				For iCnt = 0 To aTmp.GetUpperBound(0)
					tmpNumber = Utilities.FixNumber(aTmp(iCnt))
					If tmpNumber > 0 Then
						If out.Length > 0 Then
							out = out & ","

						End If

						out = out & tmpNumber

					End If

				Next

			Case SqlDataType.CommaDelimitedText
				aTmp = sFieldValue.Split(CType(",", Char))
				For iCnt = 0 To aTmp.GetUpperBound(0)
					sTmp = aTmp(iCnt).ToString().Trim()
					If sTmp.Length > 0 Then
						If out.Length > 0 Then
							out = out & ","

						End If

						out = out & "'" & sTmp.Replace("'", "''") & "'"

					End If

				Next

			Case SqlDataType.Boolean
				Try
					ret = Boolean.Parse(sFieldValue)

					If ret Then
						out = "True"
					Else
						out = "False"
					End If
				Catch x As Exception
					'do nothing, suppress errors
					HttpContext.Current.Trace.Warn("Dls.Common.Utilities.SqlStringFieldValue(fieldValue, dataType), 2, Exception: " & x.Message)
				End Try

		End Select

	End If


	If out.Length = 0 Then
		out = "NULL"

	End If

	Return out

End Function

To use it, you would do: 

Dim sql As String = "SELECT * " & _
    "FROM Articles " & _
    "WHERE ArticleId = " & SqlStringFieldValue(Request.Params("id"), SqlDataType.Number)

 
Author: Douglas L. Setzer, II, http://www.27seconds.com
Posted On: 12/21/2005 2:28:11 PM

Rate this article: Average: 7
n/a12345678910
Comments?

Article Search   |   All Articles

 

 
©2002 27 Seconds, Inc. All Rights Reserved.