Friday, January 29, 2010

Replace Single Quote SQL Injection

Replace Single Quote with Back Quote MS SQL:
UPDATE TABLE_NAME SET FIELD_NAME = REPLACE(FIELD_NAME, Char(39), Char(96));

C# Scrub Method:

public string Scrub(string sqlString)
{
return sqlString.Replace((char)39, (char)96);
}

C# UnScrub Method (modify accordingly):

public string UnScrub(string sqlString)
{
string finalSqlString = String.Empty;

if (sqlString.Contains("'"))
{
int singleQuoteCount = 0;

for (int index = 0; index < sqlString.Length; index++)
{
if (sqlString[index] == '\'')
{
singleQuoteCount++;
}
else
{
singleQuoteCount = 0;
}

if (singleQuoteCount <= 1)
{
finalSqlString = finalSqlString + sqlString[index];
}
}
}
else
{
finalSqlString = sqlString;
}
finalSqlString = finalSqlString.Replace("'", "''");
return finalSqlString;
}

Check This Out!

More Links to Good Information