Re: Which one is better between these two approaches?
- From: Göran Andersson <guffa@xxxxxxxxx>
- Date: Thu, 05 Jul 2007 14:19:32 +0200
Rolandpish wrote:
Hi, I'm doing an application using C# and I have this question:
I have a method called sqlQueryBD which receives a string sql query and executes it against a database.
I also have a class called sqlCompat which has one property "sqlText" with its getter and setter methods. The purpose of this class to translate the receiving sql query into an "escaped" sql query, for instance:
insert into people values ('cod001','Carl Johnson','\\computer\directory\file01.txt')
is translated into:
insert into people values ('cod001','Carl Johnson','\\\\computer\\directory\\file01.txt')
When you have put together the values into a query, it's too late to safely escape the values. If someone uses apostrophes somewhere:
insert into people values ('a00','John 'Noone' Doe','\\computer\directory\file01.txt')
How should the code know that the fourth and fifth apostrophes are to be escaped?
You need to escape each value before you put it in the query. You should consider using parameters, as [someone, can't see the thread right now] suggested.
--
Göran Andersson
_____
http://www.guffa.com
.
- References:
- Which one is better between these two approaches?
- From: Rolandpish
- Which one is better between these two approaches?
- Prev by Date: Re: Marshal object as a byte array.
- Next by Date: Re: Copy of a control
- Previous by thread: Re: Which one is better between these two approaches?
- Next by thread: Accessing form controls
- Index(es):
Relevant Pages
|
