Parameterized query. The bottom layer of ADO. NET will handle the problem of SQL injection (SQL server2005 is required)
Use the following parameterized Query
System. Data. sqlclient. sqlconnection CNN = new system. Data. sqlclient. sqlconnection ("connection string ");
System. Data. sqlclient. sqlcommand CM = new system. Data. sqlclient. sqlcommand ();
Cm. Connection = CNN;
Cm. commandtext = "insert into Table1 (field1, field2) values (@ field1, @ field2 )";
Cm. Parameters. Add ("@ field1", sqldbtype. Float );
Cm. Parameters ["@ field1"]. value = 1;
Cm. Parameters. Add ("@ field2", sqldbtype. datetime );
Cm. Parameters ["@ field2"]. value = system. dbnull. value;
CNN. open ();
Cm. executenonquery ();
CNN. Close ();
Another
Our company has always used this function to remove special characters.
Public static string cleanstring (string inputstring)
{
Stringbuilder retval = new stringbuilder ();
If (inputstring! = NULL) & (inputstring! = String. Empty ))
{
Inputstring = inputstring. Trim ();
For (INT I = 0; I <inputstring. length; I ++)
{
Switch (inputstring [I])
{
Case '"':
Retval. append ("& quot ;");
Break;
Case '<':
Retval. append ("& lt ;");
Break;
Case '> ':
Retval. append ("& gt ;");
Break;
Default:
Retval. append (inputstring [I]);
Break;
}
}
Retval. Replace ("'","");
}
Return retval. tostring ();
}
PS: modified according to petshop