1

I'm looking for the equivalent to the PHP function mysql_real_escape_string() to use in C#.NET. I work with the .NET 3.5 framework. I can't find anything to use.

I read something that the System.Web.HttpUtility would have something but I can't use that. It says that I do not have an reference to it.

Improve this question

1 Answer 1

Reset to default
2

I strongly suspect you won't find anything, for two reasons:

  • It's not the preferred way of avoiding SQL injection attacks. Using parameterized queries is.
  • It would be DB-specific anyway, hence why it's mysql_real_escape_string in PHP. Given that it's to do with SQL, I wouldn't expect System.Web.HttpUtility to be anything like what you want.

So the question is whether you're actually trying to pass a value to a database, or escape a URL. If it's escaping a URL, then we need to know more about your application (e.g. .NET target profile) to help you further. If it's passing a value to a database, use parameterized SQL instead.

Improve this answer
Sign up to request clarification or add additional context in comments.

9 Comments

Well, its a Windows Application that will run on 2 clients in the same room (Red Cross Dispatch Center). the server will be in the same room so injection security is in this case not a big isue. (no external connections). Normaly Injection security would be high on my list. Parameterized SQL is no option since the person who'll maintain the system does not know enough mySql for that. I am trying to pass values containing Aphostroves.
@Bernhard: The person maintaining the system doesn't know enough to use parameterized SQL? It's remarkably simple - what's hard about that? If that's too much too ask, I'd be pretty worried about their ability to do other things...
The person is a network administrator, not a programmer. He can do small changes, but larger ones will be a problem. But to be honest, that doesn't really matter. Injection is not really a problem in the setting where the application is used
@Bernhard: Well, I've given the background of why you're unlikely to find an escaping method: it's simply not the preferred way of doing this. But there's definitely not point in looking at HttpUtility - it's entirely inappropriate for what you need.
I gues that in my situation would String.Replace be the best option then?
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.