C# equivalent of php mysql_real_escape_string function - 【StackMirror】|c#|mysql-real-escape-string|equivalent

I'm looking for the equivalent to the PHP function mysql_real_escape_string() to use in C#.NET. I work with the .NET 3.5 framework. I can't find anything to use.

I read something that the System.Web.HttpUtility would have something but I can't use that. It says that I do not have an reference to it.

2012-04-04 17:23
by Bernhard

I strongly suspect you won't find anything, for two reasons:

It's not the preferred way of avoiding SQL injection attacks. Using parameterized queries is.
It would be DB-specific anyway, hence why it's mysql_real_escape_string in PHP. Given that it's to do with SQL, I wouldn't expect System.Web.HttpUtility to be anything like what you want.

So the question is whether you're actually trying to pass a value to a database, or escape a URL. If it's escaping a URL, then we need to know more about your application (e.g. .NET target profile) to help you further. If it's passing a value to a database, use parameterized SQL instead.

2012-04-04 17:27
by Jon Skeet

Well, its a Windows Application that will run on 2 clients in the same room (Red Cross Dispatch Center). the server will be in the same room so injection security is in this case not a big isue. (no external connections). Normaly Injection security would be high on my list. Parameterized SQL is no option since the person who'll maintain the system does not know enough mySql for that.

I am trying to pass values containing Aphostroves - Bernhard 2012-04-04 17:45

@Bernhard: The person maintaining the system doesn't know enough to use parameterized SQL? It's remarkably simple - what's hard about that? If that's too much too ask, I'd be pretty worried about their ability to do other things.. - Jon Skeet 2012-04-04 17:51

The person is a network administrator, not a programmer. He can do small changes, but larger ones will be a problem. But to be honest, that doesn't really matter. Injection is not really a problem in the setting where the application is use - Bernhard 2012-04-04 17:56

@Bernhard: Well, I've given the background of why you're unlikely to find an escaping method: it's simply not the preferred way of doing this. But there's definitely not point in looking at HttpUtility - it's entirely inappropriate for what you need - Jon Skeet 2012-04-04 17:57

I gues that in my situation would String.Replace be the best option then - Bernhard 2012-04-04 18:04

@Bernhard: Well I'd still say that a little bit of education would go a long way. Parameterized SQL is not hard - especially if you're providing examples in existing queries. All the network admin would have to do is follow the same pattern. Even aside from malice, how confident are you that you'll get everything exactly right? Maybe you'll get it right - maybe you won't. I wouldn't want to try personally though. (Note that parameterized SQL also avoids conversion issues for dates etc. - Jon Skeet 2012-04-04 18:07

I've created a working version of the application without Parameterized SQL. In about 3 weeks I will get the results of its first testing period. This gives me the time to rewrite the SQL into Parameterized SQL. I think that you're right. Educating the Admin will be bette - Bernhard 2012-04-12 23:57

what is parameterized SQL anyway? I know SQL. What is this thing called parameterized SQL - user4951 2012-06-20 15:58

@JimThio: SQL using parameter placeholders which are given their values separately - instead of including the values directly into the SQL, inviting SQL injection attacks etc - Jon Skeet 2012-06-20 16:14