RE: Syntax error in insert statement?
- From: dkocur <dkocur@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 19 Apr 2005 09:56:03 -0700
SQL Injection is not done with code, it's done via use input into your
application. If you have trustworthy users it shouldn't be a concern,
otherwise you'd better make sure your validating the user's input before you
concatenate it into your SQL.
"Josh Hawley" wrote:
> Yeah those are valid points. I have a piece of code that i wrote that handles
> the ' chars, and security isnt an issue because no one but my code can
> connect to the server. however this is not the case in other peoples
> situations, so i probably shouldnt suggest it here.
>
> can you point me to an example of c# code that uses the parameters?
>
> "dkocur" wrote:
>
> > Josh, Thanks for the reply. The ? are placeholders for parameters. There
> > are numerous reasons for using parameters instead of building the string as
> > you mention. I'll give you two:
> >
> > 1. Security. It prevents a SQL injection attack.
> > 2. I don't have to format strings such as this one to insert them. (Note
> > the apostrophe in the word don't.)
> >
> > I've managed to get it to work using named parameters, but I'd prefer to use
> > unnamed parameters to maximize performance.
> >
> > "Josh Hawley" wrote:
> >
> > > I'm not sure why you are putting question marks in there...
> > > I usually use a stringbuilder to make my queries, it helps alot...
> > > escpecially when the queries get really long and complex (i have some that
> > > are 4 pages long). something like this:
> > >
> > > string viewID="1";
> > > string name="Josh";
> > > string namespace="namespace";
> > >
> > > StringBuilder query=new StringBuilder();
> > > query.AppendFormat("insert into BusDataObject (View_ID, Name, NameSpace)
> > > Values ('{0}', '{1}', '{2}')", viewID, name, namespace);
> > > // the {0} inserts the value into the string
> > > // it is important to have single quotes around any string values to prevent
> > > them from running too long
> > >
> > >
> > >
> > > "dkocur" wrote:
> > >
> > > > "insert into BusDataObject (View_ID, Name, NameSpace) Values (?, ?, ?);"
> > > >
> > > > results in "Incorrect syntax near '?'."
> > > >
> > > > I'm using C# Express Beta 1 with SQL Server. I know it has to be something
> > > > simple, but I just can't figure it out.
.
- References:
- Syntax error in insert statement?
- From: dkocur
- RE: Syntax error in insert statement?
- From: Josh Hawley
- RE: Syntax error in insert statement?
- From: dkocur
- RE: Syntax error in insert statement?
- From: Josh Hawley
- Syntax error in insert statement?
- Prev by Date: Re: Syntax error in insert statement?
- Next by Date: RE: Syntax error in insert statement?
- Previous by thread: RE: Syntax error in insert statement?
- Next by thread: RE: Syntax error in insert statement?
- Index(es):
