C# ADO Executing Stored Procedure Problem

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

C# ADO Executing Stored Procedure Problem

Message

19/01/2009 15:52:00

Naomi Nosonovsky
Wisconsin, États-Unis

19/01/2009 15:22:49

Kevin Marois
Marois Consulting
Winchester, Californie, États-Unis

Information générale

Forum:

ASP.NET

Catégorie:

Code, syntaxe and commandes

Titre:

Re: C# ADO Executing Stored Procedure Problem

Divers

Thread ID:

01374697

Message ID:

01375247

Vues:

You should not if you want to avoid SQL injection attacks.

>Ok, I see.
>
>But could you not just do:
>
>

>sc.CommandText = "Insert into bob (xyz, abc) VALUES ( '" + sValue1 + "','" + sValue2 + "' )";
>sc.ExecuteNonQuery();
>

>
>once for each new row in the DS?
>
>
>
>
>>>Now I'm confused.
>>>
>>>You have:
>>
>>
>>>sc.CommandText = "Insert into bob (xyz, abc) VALUES ( @xyz, @abc )"; >>>sc.Parameters.Clear(); >>>sc.Parameters.Add("@xyz", Row["xyz"]); >>>sc.Parameters.Add("@abc", Row["abc"]); >>>sc.ExecuteNonQuery(); >>
>>
>>>You could just as easily do:
>>
>>>sc.CommandText = "Insert into bob (xyz, abc) VALUES ( @xyz, @abc )"; >>>sc.ExecuteNonQuery(); >>
>>
>>>So what do the parameters do?
>>
>>
>>
>>Think about what you just wrote Kevin. What good is
>>

>>"Insert into bob (xyz, abc) VALUES ( @xyz, @abc )";
>>

>>
>>when @xyz and @abc aren't defined as anything?!?!?
>>
>>That's what this does, defines and adds the parameters to the Command object:
>>
>>

>>sc.Parameters.Clear();
>>sc.Parameters.Add("@xyz", Row["xyz"]);
>>sc.Parameters.Add("@abc", Row["abc"]);
>>

>>
>>~~Bonnie

If it's not broken, fix it until it is.

My Blog

Répondre

Fil

Voir

Click here to load this message in the networking platform