Reputation: 65
How can I parameterize this piece of code?
I have got this piece of code, I want to prevent SQL Injection...
MySqlCommand command = new MySqlCommand("Update Cliente set blacklist='true' WHERE ID ='" + txtid.Text +"'", mConn);
command.ExecuteNonQuery();
I tried to do this:
MySqlCommand command = new MySqlCommand("Update Cliente set blacklist=@bl WHERE ID ='" + "@id" + "'", mConn);
command.Parameters.AddWithValue("@id", txtid.Text);
command.Parameters.AddWithValue("@bl", 1);
command.ExecuteNonQuery();
blacklist is bool so 1 = true. It doesn't give any erros but It's not working, It's supposed to work like this:
I have a form with a field, I put in an ID that exists in the table Cliente, click the button and it will Update the blacklist field to 'true' where the ID is the same as the one I typed in the textbox.
Upvotes: 0
Views: 46
Answers (2)
Reputation: 263723
The second parameter will not work because you are wrapping it with single quotes. Remove the singel quotes around the parameter and it will work. Keep in mind the parameters are identifiers and not string literals.
UPDATE Cliente SET blacklist = @bl WHERE ID = @id
Upvotes: 0
Reputation: 58615
change this:
MySqlCommand command =
new MySqlCommand("Update Cliente set blacklist=@bl WHERE ID ='" + "@id" + "'",
mConn);
to this:
MySqlCommand command =
new MySqlCommand("Update Cliente set blacklist=@bl WHERE ID =@id",
mConn);
You don't need to quote parameters in the SQL code, the whole point using parameters is to let the DB engine take care of data substitution.
Upvotes: 2
Related Questions
- C# Parameterized MySQL query
- Parameterized Query for MySQL with C#
- c# change parameter for sql in loop
- Add parameters in query on c#
- how to change sql statement to parameterized query?
- How to add parameters to SQL when using
- Creating and then working with parameters in queries
- Why won't this C# database application with parameterized sql work?
- input parameter to mysql syntax on C#
- C# MySQL Parameterized Query Problem