Avioding SQL injection
after much playing around and problems i finally figured how to add safe parameters into an odbc command. Here is a sample....
OdbcCommand postcomment = new OdbcCommand("insert into comments values ('"+newguid+"','"+itemid+"',?)", temp);
Here the ? represents the first and only parameter to be passed into the command using..
postcomment.Parameters.AddWithValue("@comment", comment);
then
postcomment.ExecuteNonQuery();
If you were to include > 1 ? symbols, the parameters must be added in the order they appear in your original command.
OdbcCommand postcomment = new OdbcCommand("insert into comments values ('"+newguid+"','"+itemid+"',?)", temp);
Here the ? represents the first and only parameter to be passed into the command using..
postcomment.Parameters.AddWithValue("@comment", comment);
then
postcomment.ExecuteNonQuery();
If you were to include > 1 ? symbols, the parameters must be added in the order they appear in your original command.
posted by Tom Tech Blog at
10:38 AM
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home