One easy way I've found to avoid SQL injection attacks and related errors is to simply Base64 encode the contents of data that users enter. It's a simple way to make sure you are escaping every possible special character.

AAVOnline will use this functionality with all of it's messaging capabilities. Since users will be sending arbitrary text to each other it is important to come up with a way to allow this.

Below you will find the C# code for the Base64 Encode/Decode routines I used to accomplish this. (From http://www.vbforums.com/showthread.php?s=&threadid=287324)

public string base64Encode(string data)
{
    try
    {
        byte[] encData_byte = new byte[data.Length];
        encData_byte = System.Text.Encoding.UTF8.GetBytes(data);
        string encodedData = Convert.ToBase64String(encData_byte);
        return encodedData;
    }
    catch(Exception e)
    {
        throw new Exception("Error in base64Encode" + e.Message);
    }
}
public string base64Decode(string data)
{
    try
    {
        System.Text.UTF8Encoding encoder = new System.Text.UTF8Encoding();
        System.Text.Decoder utf8Decode = encoder.GetDecoder();
        byte[] todecode_byte = Convert.FromBase64String(data);
        int charCount = utf8Decode.GetCharCount(todecode_byte, 0, todecode_byte.Length);
        char[] decoded_char = new char[charCount];
        utf8Decode.GetChars(todecode_byte, 0, todecode_byte.Length, decoded_char, 0);
        string result = new String(decoded_char);
        return result;
    }
    catch(Exception e)
    {
        throw new Exception("Error in base64Decode" + e.Message);
    }
}
jeremiah's blog | 6249 reads