RP,
There is another post in this thread with a link describing SQL
injection.
As for things being complicated in C#, and working in VB.NET, I don't
think it is a matter of complication.
First, SQL Server works under a locale, and when confronted with a date
in string form that is not the universal format in SQL Server (either
'yyyy-MM-dd' or 'yyyyMMdd' in .NET date format terms) it will try to parse
it using the locale that SQL Server is running in (and maybe some others, I
am not sure).
If the local of the SQL Server and the local of the client running the
code and converting the string to be sent are different, you have a good
chance that SQL Server will not understand the string.
Now, when you use the + operator when concatenating strings, it is going
to call ToString on the operands. In this case, the DateTime will have
ToString called on it, using the current thread's culture info to determine
the format to represent the date in. How VB does this I do not know, as the
language might be resorting to a different conversion method than C# (when
using the concatenator in the language).
This is why calling ToString explicitly with that date format will
always work.
However, it is better to use the parameterized command, as it will
convert directly from the .NET type without you having to worry about any of
that.
--
- Nicholas Paldino [.NET/C# MVP]
-
mv*@spam.guard.caspershouse.com
"RP" <rp*********@gmail.comwrote in message
news:11**********************@x35g2000prf.googlegr oups.com...
Nicholas,
Finally this:
int myRes = ModRes.InsertNewRecord("insert into TestDate values ('" +
myDate.ToString("yyyy-MM-dd") + "')");
worked.
I wonder how things have complicated in C#. I have been using VB.NET
but did not encounter such problem. Please let me know whether myDate
used must be of type DateTime or String.
What is SQL Injection?