MySQL parameterized query is functioning like it is not parameterized in C# application

Question

I keep getting this error: MySql.Data.MySqlClient.MySqlException: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Feature: SecurityTesting @mytag Scenario: SQL Injection Given I visit ' at line 1'

The parameter Gherkin is the one causing the query to fail. I have tried both ? and @ as parameter prefixes and nothing changes.

Here's my code:

string CommandText = " INSERT INTO Feature(`Path`, Gherkin, RepoID, `Name`, Updated) VALUES (?Path,  ?Gherkin , ?RepoID, ?Name, ?Updated) ON DUPLICATE KEY UPDATE Gherkin = VALUES(?Gherkin); ";


       

            using (MySqlConnection connection = new MySqlConnection())
            {
                connection.ConnectionString = ConfigurationManager.ConnectionStrings["TAF_DB"].ConnectionString;
                using (MySqlCommand command = new MySqlCommand())
                {

                    var gherkinParam = new MySqlParameter("Gherkin", test.Gherkin);
                    //var gherkinParam = new MySqlParameter("Gherkin", MySqlDbType.VarChar);
                    var pathParam = new MySqlParameter("Path", MySqlDbType.VarChar);
                    var RepoIDParam = new MySqlParameter("RepoID", MySqlDbType.Int64);
                    var nameParam = new MySqlParameter("Name", MySqlDbType.VarChar);
                    var updatedParam = new MySqlParameter("Updated", MySqlDbType.VarChar);

                    gherkinParam.Value = test.Gherkin;
                    command.Parameters.Add(gherkinParam);
                    pathParam.Value = test.Path;
                    command.Parameters.Add(pathParam);
                    RepoIDParam.Value = test.RepoID;

                    command.Parameters.Add(RepoIDParam);
                    nameParam.Value = test.Name;

                    command.Parameters.Add(nameParam);
                    updatedParam.Value = test.Updated;
                    command.Parameters.Add(updatedParam);

                    command.Connection = connection;
                    command.CommandType = CommandType.Text;
                    command.CommandText = CommandText;
                    connection.Open();
                    command.ExecuteNonQuery();
                    connection.Close();

                }
            }

forpas · Accepted Answer

You should use the name of the column Gherkin inside the function VALUES() and not the named parameter ?Gherkin:

UPDATE Gherkin = VALUES(Gherkin)

MySQL parameterized query is functioning like it is not parameterized in C# application

Answers (1)

Related Questions