I need to create functionality for users to determine the WHERE criteria of a select – the criteria will be dynamic.
Is there a way I can achieve this without opening up my code to SQL injection?
I’m using C# / .NET Windows Application.
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I need to create functionality for users to determine the WHERE criteria of a select – the criteria will be dynamic.
Is there a way I can achieve this without opening up my code to SQL injection?
I’m using C# / .NET Windows Application.
Ah two phases. Given you column names and operators are not direct user input. E.g. picked from a list or radio group etc
then
String WhereClause = String.Format(“Where {0} {1} @{0}”,”Customer”, “=”);
So now you Have “Where Customer = @Customer”.
Then you can add aparamer Customer and set it from the user input.
There are a few ways to attack this, depends on how complex your criteria could be though.