SQL vs ASP.NET..escape characters haunting
I have a crazy predictament. Seeing how I am gettng the login directly from windows anyway, i have not been needing to worry too much about sql inject but i would like to uniform everything.
I use WindowsIdentity to retrieve a login which comes like "domain\login". When I put this info into a parameter and send it over as a query it comes over like this:
If I put it directly in the query string like this:
@"Select * where loginid = '" + curruser.Name + "'";
It will work, anyone have an explaination and way around this so I can parameterize this?
I do know that \ is an escape character and needs to be \\ to be seen as a single on in a string but SQL doesn't follow the same rules hehe.