Reputation: 2768
C# ASP.NET SQL Parameterize
I have seen some examples how to use parameters to avoid character escaping. Does using parameters is 100% safe against SQL injection?
Also, can you please give some basic queries (which are reguraly used), and how you implement the parameters?
Some websites I searched before I came here provided too complicated examples.
Upvotes: 0
Views: 215
Answers (2)
Reputation: 9503
A basic example of a parameterized SQL query is as follows:
SqlCommand command = new SqlCommand(@"select city from users where username = @username", conn);
SqlParameter param = new SqlParameter();
param.ParameterName = "@username";
param.Value = "abc123"
command.Parameters.Add(param);
conn is the SqlConnection that you've established.
@username is the parameter name that will be substituted when the command is executed.
abc123 is the made up username that I've put for the example.
This is obviously a made up scenario, but you get the point.
Upvotes: 2
Reputation: 487
As a shorter version you can use
SqlCommand command = new SqlCommand(@"select city from users where username = @username", conn);
command.Parameters.AddWithValue("@username", "value");
Upvotes: 0
Related Questions
- parameterized sql query - asp.net / c#
- Sql Parameter Collection
- parameter value passsing in c# asp.net
- SQL parametrized query. Adding unnecessary parameters
- Adding SQL Parameters in C#
- SQL Server parameters C#
- Create SQL parameters programmatically
- Query with parameters in C# (using SQL Server)
- Adding Parameter SQL IN
- SQL Table Parameters