Single Quote In A Text Field

[Jeff Gaines]

In my efforts at learning ADO.NET I have discovered that it balks at text
fields with single quote marks embedded. The field in question comprises
notes that can contain anything, it is stored as a memo field in Access.

I tried to wrap the whole field in double quotes without success, it still
balked at the first single quote and broke my insert statement.

Is there an easy way to handle this? If not I'll have to write a routine
to strip out single quotes before saving the field.

 

[Miha Markic]

Use parametrised sql statements and thus avoid sql injection attacks at the
same time.

 

[Jeff Gaines]

Use parametrised sql statements and thus avoid sql injection attacks at
the same time.

Many thanks, Miha

I am very new to this so I had to look some of the words up but I have
amended the app and it works a treat now!

 

[WenYuan Wang [MSFT]]

Hello Jeff,
Thanks for Miha's reply.

In ADO.Net world, OleDbParameter is invited to address such issue.
We suggest you use parametrised SQL statements.
By this way, we also could avoid SQL injection attacks.

For example:
//init
System.Data.OleDb.OleDbConnection cn = new
System.Data.OleDb.OleDbConnection();
cn.ConnectionString = @"Provider=Microsoft.Jet.OLEDB.4.0;Data
Source=C:\test.mdb";
System.Data.OleDb.OleDbCommand cmd=new
System.Data.OleDb.OleDbCommand();
cmd.Connection = cn;
cmd.CommandText="insert into Table1(field3) values (?)";
cmd.CommandType=System.Data.CommandType.Text;
cmd.Parameters.Add("@field3",
System.Data.OleDb.OleDbType.VarWChar);

//insert row
cmd.Parameters["@field3"].Value = "test1'test2\"test3";
cn.Open();
cmd.ExecuteNonQuery();
cn.Close();

Hope this help. Please feel free to update here, if you have anything
unclear. We are glad to assist you.
Best regards,

Wen Yuan
Microsoft Online Community Support
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jeff Gaines]

Hello Jeff,
Thanks for Miha's reply.

Yes indeed

In ADO.Net world, OleDbParameter is invited to address such issue.
We suggest you use parametrised SQL statements.
By this way, we also could avoid SQL injection attacks.
[snipped]

Hope this help. Please feel free to update here, if you have anything
unclear. We are glad to assist you.

It certainly helps enormously

I had 2 problems.

The first is that the app I chose to convert to ADO.Net uses a couple of
tables each with lots of fields, many of which aren't stored but
calculated. I know it's a minimal app to the professionals but it was the
wrong app to choose for this exercise. Anyway it's pretty well there now.

The second was a real brain fade. Having created functions to create
parameterised insert/update strings I decided they looked the same and
could be combined. Of course they are not the same but it took me a couple
of hours to realise that. I am back on track now.

I hope the old adage about learning from mistakes is true

 

[Cor Ligthert[MVP]]

Hi WenYuan,

By this way, we also could avoid SQL injection attacks.

In an Access database? AFAIK it can not be reached ofline beside by a
webservice or something like that.

Although it is of course the way to go.

No need to respond.



Cor

 

[Miha Markic]

Every database is subject to SQL injection attacks (as long as it supports
SQL of course) when not used correctly.

 

[William Vaughn]

Ah, I doubt it. SQL Server and Oracle that support multiple operations are
most vulnerable--SQL CE does not and is not subject to the same type of
attacks.

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant, Dad, Grandpa
Microsoft MVP
INETA Speaker
www.betav.com
www.betav.com/blog/billva
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
-----------------------------------------------------------------------------------------------------------------------

Every database is subject to SQL injection attacks (as long as it supports
SQL of course) when not used correctly.
--
Miha Markic [MVP C#, INETA Country Leader for Slovenia]
RightHand .NET consulting & development www.rthand.com
Blog: http://cs.rthand.com/blogs/blog_with_righthand/

Hi WenYuan,


In an Access database? AFAIK it can not be reached ofline beside by a
webservice or something like that.

Although it is of course the way to go.

No need to respond.



Cor

 

[Cor Ligthert[MVP]]

Miha,

I am curious how you do that with an Access database. I assume that you
don't mean attacks from your own desktop or inside the local Lan, where an
Access database is normaly not used in a large organisation.

An access database is as far as I know only referencable by using its
destination by a phycical path and not an IP or DNS name?

However if you know a method to reach it in another way, I would very much
be pleased to see that. (Not by a webservice or something else that uses a
phycical path of course, because that is only giving back result on
methods).

Cor

Every database is subject to SQL injection attacks (as long as it supports
SQL of course) when not used correctly.
--
Miha Markic [MVP C#, INETA Country Leader for Slovenia]
RightHand .NET consulting & development www.rthand.com
Blog: http://cs.rthand.com/blogs/blog_with_righthand/

Hi WenYuan,


In an Access database? AFAIK it can not be reached ofline beside by a
webservice or something like that.

Although it is of course the way to go.

No need to respond.



Cor

 

[Miha Markic]

The level of vulnerability may vary but I think we agree on the fact that
when there is SQL than sql injection is possible.

 

[Miha Markic]

Cor,

I think you are confusing SQL injection attacks with something else.

 

[WenYuan Wang [MSFT]]

It's truly a great news.
I think you have learned much from mistakes.
If there is any other issue blocks you, feel free to post it in newsgroup
again.
You are always welcome.

Good Luck!

Wen Yuan
Microsoft Online Community Support
==================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Cor Ligthert[MVP]]

Miha,

I think you are confusing SQL injection attacks with something else.

I will be pleased with your explanation about it?

Cor

 

[Miha Markic]

Wikipedia is a good start:
http://en.wikipedia.org/wiki/Sql_injection

--
Miha Markic [MVP C#, INETA Country Leader for Slovenia]
RightHand .NET consulting & development www.rthand.com
Blog: http://cs.rthand.com/blogs/blog_with_righthand/

Miha,

I think you are confusing SQL injection attacks with something else.

I will be pleased with your explanation about it?

Cor

 

[Cor Ligthert[MVP]]

Miha,

I know this page, but how you do this without InterNet?

Cor

Wikipedia is a good start:
http://en.wikipedia.org/wiki/Sql_injection

 

[Miha Markic]

Miha,

I know this page, but how you do this without InterNet?

Internet has nothing to do with sql injection attacks.

 

[William Vaughn]

If you look at the examples in Wikipedia, all of them assume that the SQL
engine can execute more than one operation per statement. JET (and SQLCe)
cannot.

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant, Dad, Grandpa
Microsoft MVP
INETA Speaker
www.betav.com
www.betav.com/blog/billva
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
-----------------------------------------------------------------------------------------------------------------------

The level of vulnerability may vary but I think we agree on the fact that
when there is SQL than sql injection is possible.

--
Miha Markic [MVP C#, INETA Country Leader for Slovenia]
RightHand .NET consulting & development www.rthand.com
Blog: http://cs.rthand.com/blogs/blog_with_righthand/

Ah, I doubt it. SQL Server and Oracle that support multiple operations
are most vulnerable--SQL CE does not and is not subject to the same type
of attacks.

 

[Miha Markic]

If you look at the examples in Wikipedia, all of them assume that the SQL
engine can execute more than one operation per statement. JET (and SQLCe)
cannot.

Do you really think that SQL injection is impossible without multioperation
execution?

 

[William Vaughn]

You're right... since an UPDATE or INSERT could be perverted, that would
include any DBMS engine that accepts commands--SQL or not.

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant, Dad, Grandpa
Microsoft MVP
INETA Speaker
www.betav.com
www.betav.com/blog/billva
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________
Visit www.hitchhikerguides.net to get more information on my latest book:
Hitchhiker's Guide to Visual Studio and SQL Server (7th Edition)
and Hitchhiker's Guide to SQL Server 2005 Compact Edition (EBook)
-----------------------------------------------------------------------------------------------------------------------