Thomas Sampson

Avioding SQL injection

Leave a comment

After much playing around and problems I finally figured how to add safe parameters into an odbc command. Here is a sample….

OdbcCommand postcomment = new OdbcCommand(“insert into comments values (‘”+newguid+”‘,'”+itemid+”‘,?)”, temp);

Here the ? represents the first and only parameter to be passed into the command using..

postcomment.Parameters.AddWithValue(“@comment”, comment);

then

postcomment.ExecuteNonQuery();

If you were to include > 1 ? symbols, the parameters must be added in the order they appear in your original command.

Advertisements

Author: tomtech999

I have recently graduated with a 1st class degree in MComp Games Software Development at Sheffield Hallam University, focusing primarily on application development in C++, with experience in graphics programming, scripting languages, DVCS/VCS and web technology. In my spare time I enjoy Drumming, Reading and Snowboarding!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s