Home/ Questions/Q 6202913
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T04:49:19+00:00

I used postgreSQL in PHP, and this was simple : when you make a

  • 0

I used postgreSQL in PHP, and this was simple : when you make a query, you do :

$result = pg_query($conn, "SELECT author, email FROM authors WHERE dest='" + pg_escape_string($s) + "'");

Simple. Secure (as far as I know).

Now I want to do the same thing with SQLite in C# :

SQLiteCommand query = m_conn.CreateCommand();
query.CommandText = "SELECT author, email FROM authors WHERE dest=@param";
query.Parameters.Add("@dest", SqlDbType.String).Value = s;
m_datareader = query.ExecuteReader();

Is it not a bit of an overkill ? If not, why ?

From what I know, in the end, the string sent to the database is still a string, why should it go trough this instead of just manually sanitizing unsafe strings ? If in ASP .NET to print some unsafe text to HTML is it also

htmlAdd.Text("<div>@param1</div>");
htmlAdd.Parameters.Add("@param1").Value = unsafeUsername;

?

I wanted to do this class :

class QueryResultSet
{
    public QueryResultSet(SQLiteConnection conn, string queryText)
    {
        m_conn = conn;
        m_conn.Open();
        SQLiteCommand query = m_conn.CreateCommand();
        query.CommandText = queryText;
        m_datareader = query.ExecuteReader();
    }
    public object this[string key]
    {
        get { return m_datareader[key]; }
    }
    public bool Read()
    {
        return m_datareader.Read();
    }
    ~QueryResultSet()
    {
        m_conn.Close();
    }
    private SQLiteConnection m_conn;
    private SQLiteDataReader m_datareader;
}

But now I have to change the method in :

public QueryResultSet(SQLiteConnection conn, string queryText, Dictionary<string,string> params)

That will cause the code before the method and into it to double its size.

Any standard way to do it ? If this class isn’t a good idea, how to avoid having to do 10 lines for each request ?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I use an extension method

    public static IDataReader GetReader(this IDbConnection conn,string query, params object[] values) {
  var Command=conn.CreateCommand();
  var paramNames=Enumerable.Range(1,values.Length).Select(i=>string.Format("@param{0}",i)).ToArray();
  Command.CommandText=string.Format(query,paramNames);
  for (var i=0;i<values.Length;i++) {
    var param=Command.CreateParameter();
    param.ParameterName=paramNames[i];
    param.Value=values[i];
    Command.Parameters.Add(param);
  }
  return Command.ExecuteReader();
}

    Then you can just in your code use the string format syntax for your query.

    e.g.

    Conn.GetReader("SELECT author, email FROM authors WHERE dest={0}",dest);
    • 0