Parameters In Queries

A C++ .Net example using parameters SqlCommand1->CommandType = CommandType::Text; SqlCommand1->Parameters->AddWithValue(“@Type”, Convert::ToString(Type)); SqlCommand1->Parameters->AddWithValue(“@LocationId”, Convert::ToString(LocationId)); SqlCommand1->Parameters->AddWithValue(“@EventDateTime”, EventDateTime->ToString(“s”)); SqlCommand1->Parameters->AddWithValue(“@TagId”, Convert::ToString(TagId)); SqlCommand1->Parameters->AddWithValue(“@TagScore”, Convert::ToString(TagScore)); SqlCommand1->Parameters->AddWithValue(“@SourceId”, SourceId); SqlCommand1->CommandText = “DELETE FROM tblMyTable WHERE Something = @LocationId”; SqlCommand1->ExecuteNonQuery(); SqlCommand1->CommandText = “INSERT INTO tblMyTable ( \ Added, \ Type, \ LocationId, \ EventDateTime, \ TagId, \ TagScore, \ SourceId \ ) VALUES ( \ […]

Read More

Sanitizing Queries

Use parameter based queries instead of trying to sanitize strings – its much safer and easier. Good resources: http://stackoverflow.com/questions/249567/algorithm-to-avoid-sql-injection-on-mssql-server-from-c-sharp-code C++ .Net example of a parameter based query SqlConnection1->Open(); SqlClient::SqlDataAdapter ^SqlDataAdaptor1 = gcnew SqlClient::SqlDataAdapter(); SqlDataAdaptor1->MissingSchemaAction = MissingSchemaAction::AddWithKey; DataSet ^DataSet1 = gcnew DataSet(); SqlClient::SqlCommand ^SqlCommand1 = gcnew SqlClient::SqlCommand(); SqlCommand1->Connection = SqlConnection1; SqlClient::SqlCommandBuilder ^CmdBuilder1 = gcnew SqlClient::SqlCommandBuilder(); CmdBuilder1->DataAdapter […]

Read More