Plateforme Level Extreme
Abonnement
Profil corporatif
Produits & Services
Support
Légal
English
C# ADO Executing Stored Procedure Problem
Message
Information générale
Forum:
ASP.NET
Catégorie:
Code, syntaxe and commandes
Divers
Thread ID:
01374697
Message ID:
01375247
Vues:
21
You should not if you want to avoid SQL injection attacks.

>Ok, I see.
>
>But could you not just do:
>
>
>sc.CommandText = "Insert into bob (xyz, abc) VALUES ( '" + sValue1 + "','" + sValue2 + "' )";
>sc.ExecuteNonQuery();
>
>
>once for each new row in the DS?
>
>
>
>
>>>Now I'm confused.
>>>
>>>You have:
>>
>>
>>>sc.CommandText = "Insert into bob (xyz, abc) VALUES ( @xyz, @abc )";
>>>sc.Parameters.Clear();
>>>sc.Parameters.Add("@xyz", Row["xyz"]);
>>>sc.Parameters.Add("@abc", Row["abc"]);
>>>sc.ExecuteNonQuery();
>>
>>
>>>You could just as easily do:
>>
>>>sc.CommandText = "Insert into bob (xyz, abc) VALUES ( @xyz, @abc )";
>>>sc.ExecuteNonQuery();
>>
>>
>>>So what do the parameters do?

>>
>>
>>
>>Think about what you just wrote Kevin. What good is
>>
>>"Insert into bob (xyz, abc) VALUES ( @xyz, @abc )";
>>
>>
>>when @xyz and @abc aren't defined as anything?!?!?
>>
>>That's what this does, defines and adds the parameters to the Command object:
>>
>>
>>sc.Parameters.Clear();
>>sc.Parameters.Add("@xyz", Row["xyz"]);
>>sc.Parameters.Add("@abc", Row["abc"]);
>>
>>
>>~~Bonnie
If it's not broken, fix it until it is.


My Blog
Précédent
Répondre
Fil
Voir

Click here to load this message in the networking platform