1

I am trying to make this statement safe from the insertion of special characters. How would I reformat the query to handle this, such as the variable type having the value “Women’s”? I know that parameterized queries are the way to go, however; that is not an option right now. 

var sqlStatement = "SELECT DISTINCT DN FROM tbl1 WHERE Media LIKE "+ media + "% AND Type = " + type + "";
Improve this question
4
  • 6
    Check out the concept of Parameterised Queries or Prepared Statements. You should not be building up your query by directly concatenating strings in to it. Commented Oct 8, 2012 at 13:53
  • and what database is this for - MySql, SQLServer? Commented Oct 8, 2012 at 13:57
  • 1
    Are you really generating your SQL queries in Javascript? Commented Oct 8, 2012 at 13:59
  • 1
    Is this node.js or is this JavaScript running in the browser? Commented Oct 8, 2012 at 14:07

2 Answers 2

Reset to default
2

Your best resource here is going to be OWASP (check out the SQL Injection Prevention cheat sheet). I feel compelled to reiterate that your best bet would be to attempt solutions in the following order:

  1. Prepared Statements
  2. Stored Procedures
  3. Escaping User Supplied Input

If you're absolutely set on escaping queries for SQL Server you can refer to This MSDN Article, specifically the Escaping Input section. If you can further validate user input by implementing a White List, all the better!

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

-1

I know that parameterized queries are the way to go, however; that is not an option right now.

Why is it "not an option right now"?

Is having your entire data compromised or destroyed "an option right now"? Would you care to post your URL?

If you don't parameterise your queries, there is no guaranteed foolproof method of preventing SQL injection.

Improve this answer

1 Comment

why are people downvoting this? parameterized queries are the correct way to fix this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.