In manually creating SQL queries, it would be nice to have a Framework
function that makes input strings safe to add in a manner like this:
myDescription = MethodToMakeStringQuerySafe(myDescription);
new SqlCommand(
String.Format("INSERT INTO Descriptions (Description) VALUES '{0}'",
myDescription)
).ExecuteNonQuery(); //yes, I know this isn't very good
Is there any such thing? Or must I be relegated to doing something like
myDescription = myDescription.Replace("'", "\\'").Replace(etc);
Another thing. I would think that escaping the single quotes in the input
string would be all that's necessary to make the string safe. Is this
correct?
Chris
4  12739 
managing all the exotic characters into a string is
difficult and ADO can do it for you!
Just créate a parameter instance, déclare its value and
add it to the Parameters collection of the Command object -----Original Message-----
In manually creating SQL queries, it would be nice to
have a Frameworkfunction that makes input strings safe to add in a
manner like this:
myDescription = MethodToMakeStringQuerySafe
(myDescription);
new SqlCommand(
String.Format("INSERT INTO Descriptions
(Description) VALUES '{0}'", myDescription)
).ExecuteNonQuery(); //yes, I know this isn't very
good
Is there any such thing? Or must I be relegated to doing
something like
myDescription = myDescription.Replace("'", "\\'").Replace
(etc);
Another thing. I would think that escaping the single
quotes in the inputstring would be all that's necessary to make the string
safe. Is thiscorrect?
Chris
.
SqlCommand.Parameters.Add() is what you're after. It will handle escaping
and formatting so that the server understands (quoting text, not quoting
numbers, formatting dates). It also stops your users being able to type
things like "hello'GO;DROP DATABASE ..." in a text box and having the
execution of that sql command do very nasty things.
Niall
"Chris Capel" <ch***@ibanktech.net.zerospam> wrote in message
news:eL**************@TK2MSFTNGP12.phx.gbl... In manually creating SQL queries, it would be nice to have a Framework
function that makes input strings safe to add in a manner like this:
myDescription = MethodToMakeStringQuerySafe(myDescription);
new SqlCommand(
String.Format("INSERT INTO Descriptions (Description) VALUES '{0}'",
myDescription)
).ExecuteNonQuery(); //yes, I know this isn't very good
Is there any such thing? Or must I be relegated to doing something like
myDescription = myDescription.Replace("'", "\\'").Replace(etc);
Another thing. I would think that escaping the single quotes in the input
string would be all that's necessary to make the string safe. Is this
correct?
Chris
This is very nice, but how exactly would I use a SqlParameter in a
SqlCommand that I don't make using the designer? Specifically, how would I
reference the paremeter from the SQL query string I give to the SqlCommand?
Chris
"Niall" <as**@me.com> wrote in message
news:ut**************@TK2MSFTNGP10.phx.gbl... SqlCommand.Parameters.Add() is what you're after. It will handle escaping
and formatting so that the server understands (quoting text, not quoting
numbers, formatting dates). It also stops your users being able to type
things like "hello'GO;DROP DATABASE ..." in a text box and having the
execution of that sql command do very nasty things.
Niall
"Chris Capel" <ch***@ibanktech.net.zerospam> wrote in message
news:eL**************@TK2MSFTNGP12.phx.gbl... In manually creating SQL queries, it would be nice to have a Framework
function that makes input strings safe to add in a manner like this:
myDescription = MethodToMakeStringQuerySafe(myDescription);
new SqlCommand(
String.Format("INSERT INTO Descriptions (Description) VALUES '{0}'",
myDescription)
).ExecuteNonQuery(); //yes, I know this isn't very good
Is there any such thing? Or must I be relegated to doing something like
myDescription = myDescription.Replace("'", "\\'").Replace(etc);
Another thing. I would think that escaping the single quotes in the
input string would be all that's necessary to make the string safe. Is this
correct?
Chris
Like this:
SqlCommand Command = new SqlCommand("SELECT * FROM Table WHERE Field =
@FieldValue");
Command.Connection = ConnectionObject;
Command.Parameters.Add("@FieldValue", "HELLO");
<etc etc>
Niall
"Chris Capel" <ch***@ibanktech.net.zerospam> wrote in message
news:u5**************@tk2msftngp13.phx.gbl... This is very nice, but how exactly would I use a SqlParameter in a
SqlCommand that I don't make using the designer? Specifically, how would I
reference the paremeter from the SQL query string I give to the
SqlCommand?
Chris
"Niall" <as**@me.com> wrote in message
news:ut**************@TK2MSFTNGP10.phx.gbl... SqlCommand.Parameters.Add() is what you're after. It will handle
escaping and formatting so that the server understands (quoting text, not quoting
numbers, formatting dates). It also stops your users being able to type
things like "hello'GO;DROP DATABASE ..." in a text box and having the
execution of that sql command do very nasty things.
Niall
"Chris Capel" <ch***@ibanktech.net.zerospam> wrote in message
news:eL**************@TK2MSFTNGP12.phx.gbl... In manually creating SQL queries, it would be nice to have a Framework
function that makes input strings safe to add in a manner like this:
myDescription = MethodToMakeStringQuerySafe(myDescription);
new SqlCommand(
String.Format("INSERT INTO Descriptions (Description) VALUES
'{0}'", myDescription)
).ExecuteNonQuery(); //yes, I know this isn't very good
Is there any such thing? Or must I be relegated to doing something
like
myDescription = myDescription.Replace("'", "\\'").Replace(etc);
Another thing. I would think that escaping the single quotes in the
input string would be all that's necessary to make the string safe. Is this
correct?
Chris
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Zlatko Matiæ |
last post by:
Let's assume that we have a database on some SQL server (let it be MS SQL
Server) and that we want to execute some parameterized query as a
pass.through query. How can we pass parameters to the...
|
by: Mark |
last post by:
I created a test to check the execution time difference between executing a
SQL Server stored procedured using explicit parameters versus not. In one
case I created new SqlParameters in the code,...
|
by: Tim::.. |
last post by:
Can someone tell me a better way or give me a link that shows a better way to
create large numbers of SQL parameters...
Example... A better way to write this code!
<code>
Sub...
|
by: cody |
last post by:
I got a similar idea a couple of months ago, but now this one will require
no change to the clr, is relatively easy to implement and would be a great
addition to C# 3.0 :)
so here we go..
To...
|
by: John Friedland |
last post by:
My problem: I need to call (from C code) an arbitrary C library
function, but I don't know until runtime what the function name is,
how many parameters are required, and what the parameters are. I...
|
by: Hexman |
last post by:
Hello All,
Well I'm stumped once more. Need some help. Writing a simple select and update program using VB.Net 2005 and an Access DB. I'm using parameters in
my update statement and when trying...
|
by: pamelafluente |
last post by:
Hi guys,
In the past I have used several time optional parameters in my
function.
But Now I am more inclined to think that they are more dangerous than
useful, and probably better to be...
|
by: John Kotuby |
last post by:
Hi all,
I am working on porting an application from VB6 to VB.NET 2003 and am
running into some problems. When declaring and populating the parameters for
a SQL Stored Procedure by using the...
|
by: Xah Lee |
last post by:
In this article, i explain how the use of bit masks is a hack in many
imperative languages.
Often, a function will need to take many True/False parameters. For
example, suppose i have a function...
|
by: Jared Grant |
last post by:
I am trying to find the value from some output parameters from a stored procedure. I have tried several different methods but somehow cannot get it to work. here is my source code:
dim dr as...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
