1

i want to find a function in .NET framework to calls SQL-Server's library for escaping really a value for sending to sql server, as mysql-real-escape-string() calls MySQL's library to do in PHP.
please propose a method that i can call it and it return escaped string via one round-trip to database, no need fo executing It's query
Is there it?

Improve this question
6
  • Btw: mysql_real_escape_string does not talk to the database in any way. Also: The proposed solution from @Thomas is fine, just like prepared statements are also the way to go in php Commented Apr 26, 2011 at 8:34
  • @edorian - mysql_real_escape_string() actually talks to the database: it's the server the one that gets the job done and it won't work without a DB connection. Commented Apr 26, 2011 at 10:25
  • 2
    @Alvaro: It requires a connection to determine the character set to use to escape the content. But no round trip happens. All the escaping is done on the client side. Don't believe me? Break out wireshark and watch the communication betwen PHP and MySQL. The client does the escaping (which also is the only thing that makes sense)... Commented Apr 26, 2011 at 10:52
  • 1
    @ircmaxell - I've just tested and you are absolutely right. I misunderstood the mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string part in the documentation. It obviously refers to the client library. Commented Apr 26, 2011 at 11:08
  • 1
    @ahoo: prepared statements (or more accurately parameterized queries) are the better option all around. You can rely on client-side escaping only if you set the character set properly and use it properly. Like any tool it's only as good as how it's used... Commented Apr 26, 2011 at 12:38

1 Answer 1

Reset to default
3

Why do you want to do that? The correct way to send user input to the database is not to escape it, but to use query parameters.

using(var command = new SqlCommand("insert into MyTable(X, Y) values(@x, @y)", connection))
{
    command.Parameters.Add("@x", textBoxX.Text);
    command.Parameters.Add("@y", textBoxY.Text);
    command.ExecuteNonQuery();
}

This provides better performance, because the query text is always the same so the query execution plan can be cached. This also protects you against SQL injection attacks. And it also allows you to ignore data formatting issues (e.g. how is a DateTime formatted in SQL-Server? How should you represent a number in SQL? and so on)

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

yes, i thought about it well. but parameter way has a problem: parameters count is fixed, but i want to dynamically create sql with count of parameters is dependent on user input values.
@ahoo, the parameter count isn't fixed, nothing prevents you from adding parameters dynamically in a loop... Of course in that case you don't get the performance benefit, but it's still better than hard-coding the values in the SQL query.
thanks @Thomas, so it is just like "Prepared Statement" in PHP (Using Functions: mysqli_stmt_prepare(),mysqli_stmt_bind_param()). is it right?
@ahoo, yes, it's roughly the same. BTW, you can explicitly Prepare() a command in .NET too if you intend to reuse it multiple times with different parameter values

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.