0

I have the following code:

    [WebMethod]
    public static string addNewNote(string id, string txt)
    {
        Guid parentId = new Guid(id);
        DbProviderFactory dbf = DbProviderFactories.GetFactory();
        using (IDbConnection con = dbf.CreateConnection())
        {
            con.Open();
            using (IDbTransaction trn = con.BeginTransaction())
            {

                Guid noteId = Guid.Empty;
                SqlProcs.spNOTES_WebForms
                        (ref noteId,
                        parentId,
                        "Files",
                        "Client Note",
                        txt,
                        true
                        );
            }
        }
        return "";
    }

In other languages such as PHP, there exist functions such as strip_tags or addslashes or mysqlrealescapestring that would sanitize or otherwise clean client-based variables before inserting them into the database.

Do any such functions exist, or are any such functions required in C# ASP.NET. I am already using a stored procedure, as you can see.

Improve this question
2
  • 1
    Have you looked into using SQL paramters? Commented Feb 13, 2013 at 19:33
  • I don't know, but in this case I am using a stored procedure so I am not sure I can use SQL stuff. I was thinking I would just be able to sanitize the data in C#, first. Commented Feb 13, 2013 at 19:34

1 Answer 1

Reset to default
4

If you use parametrized queries .Net will handle the variable sanitation for you.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

My stored procedure generated the following code IDbDataParameter parID = Sql.AddParameter(cmd, "@ID" , gID ); (for example). Are you saying this is safe to use as is?
May I ask, after having looked at msdn.microsoft.com/en-us/library/…, where does it say that this sanitizes incoming data? Thanks.
Read here in the Use Type-Safe SQL Parameters section: msdn.microsoft.com/en-us/library/ms161953(SQL.105).aspx input is treated as a literal value instead of as executable code
Alright, I guess I can trust to leave it as is, then. Thanks!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.