SQL injection can be avoided if I remove "'" character in the variables of a sql query. The sql query that I use is:
dbCommand = new OleDbCommand("update Table1 set PhoneNo = '" + phone + "' where Table1.Company = '" + company + "'", dbConnection);
dbCommand.ExecuteNonQuery();
I also use SELECT sql query in a similar way:
dbReader = new OleDbCommand("select * from Table1 where Table1.Company = '" + company + "'", dbConnection).ExecuteReader();
dbReader.Read();
if (dbReader.HasRows)
{
//Do operations using dbReader["Company"]
}
Are there any other characters in the variables that can cause SQL injection or other risks? I can remove those. What are other ways of preventing SQL injection or other risks?
The best way is simply to use parametrized queries and don't try and remove any '. One example would be this:
dbCommand = new OleDbCommand("update Table1 set PhoneNo = ? where Table1.Company =? ", dbConnection);
dbCommand.Parameters.Add(phone);
dbCommand.Parameters.Add(company);
The OleDbCommand class allows you to specify parameters by name also, according to MSDN.
http://msdn.microsoft.com/en-us/library/system.data.oledb.oledbparametercollection.aspx
So you could replace those ? in my example, with actual parameter names like so:
dbCommand = new OleDbCommand("update Table1 set PhoneNo = @phone where Table1.Company =@company ", dbConnection);
dbCommand.Parameters.Add("@phone",phone);
dbCommand.Parameters.Add("@company",company);
Update (Comment from Steve)
You could use a name for the parameter, but it is ignored by OleDb. If you change the order in which you add the parameter the query doesn't work – Steve