MyI created a form that should gather information from data. This data may include random characters including " ' and so on. My question is how do I insert data safely without having sql injection attacks and where could i insert escape characters so that this form does not throw errors whenever a characters like ' "/ and so on are inserted.
Here is my code so far:
public string InsertRecordSet()
{
source = new FileInfo(@"c:\scripts\db_connection.txt");
stream = source.OpenText();
String text = stream.ReadLine();
stream.Close();
String uid = text.Substring(0, text.IndexOf(":"));
String pw = text.Substring(text.IndexOf(":") + 1, (text.Length - uid.Length - 1));
String connectionString = "dsn=" + "db" + "; uid=" + uid + "; pwd=" + pw + ";";
String statement = "INSERT INTO table (SubmitDate, FirstName, LastName, Email, Phone, Major, Description, HearAbout) VALUES (@SubmitDate, @FirstName, @LastName, @Email, @Phone, @Major, @Description, @HearAbout)";
conn = new OdbcConnection(connectionString);
command = new OdbcCommand(statement, conn);
command.Parameters.AddWithValue("@SubmitDate", DateTime.Now);
command.Parameters.AddWithValue("@FirstName", txtFname.Text);
command.Parameters.AddWithValue("@LastName", txtLname.Text);
command.Parameters.AddWithValue("@Email", txtEmail.Text);
command.Parameters.AddWithValue("@Phone", txtPhone.Text);
command.Parameters.AddWithValue("@Major", txtMajor.Text);
command.Parameters.AddWithValue("@Desciption", txtDescription.Text);
command.Parameters.AddWithValue("@HearAbout", txtMaxwell.Text);
conn.Open();
try
{
command.ExecuteNonQuery();
return "true";
}
catch (OdbcException oe)
{
_dbError = true;
Session.Contents.Add("USIFormException", oe);
return (oe.ToString());
}
finally
{
conn.Close();
}
}