Home/ Questions/Q 8269125
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-08T06:07:17+00:00

I’m really new to DB programming, and I’m throwing together a little test project

  • 0

I’m really new to DB programming, and I’m throwing together a little test project that uses ado.net to interact with a MS Access database. I looked around online for the “best practice” way to do it, but couldn’t find an up-to-date answer that I trusted.

I just want the “modern” way to insert into an access DB via ado.net while preventing SQL injection attacks. And if there’s anything else I should be keeping in mind, let me know that too.

Oh and by the way, I’m aware that there are better options than MS Access. However, I’m doing this at work on lunch breaks and stuff, and my employer would prefer I don’t clutter up SQL server space with silly DBs like this.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You could try Dapper. This is a way to execute arbitrary SQL against anything that implements IDbConnection in a manner which avoids SQL injection attacks and has a nice, clean, modern interface.

    Failing that, just use OleDbCommand.Parameters.AddWithValue("fieldname", yourobj); (or the OdbcCommand equivalent. Your query would need to contain question marks as parameter placeholders. For Access, you need to add your arguments to the parameters collection in the same order as the fields appear in the SQL query, like this:

    Selecting

    string sql = "select * from mytable where MyField LIKE ? and MyOtherField = ?";

// Dapper

using (OleDbConnection dbConn = new OleDbConnection("your connection string))
{
    dbConn.Open();
    var result = dbConn.Query(sql, new { MyField = "some value", MyOtherField = 3 });

    foreach (dynamic myrow in result)
    {
        // you can get at your table rows using myrow.MyField, myrow.SomeOtherField etc
        // To avoid myrow being dynamic, call dbConn.Query<T> where T is some type you 
        // define that matches your table definition
    }
}

// The "old-fashioned" way

using (OleDbConnection dbConn = new OleDbConnection("your connection string))
using (OleDbCommand dbCmd = dbConn.CreateCommand())
{
    dbConn.Open();
    dbCmd.CommandText = sql;
    dbCmd.Parameters.AddWithValue("MyField", "some value"));
    dbCmd.Parameters.AddWithValue("MyOtherField", 3));

    OleDbDataReader reader = dbCmd.ExecuteReader();
    while (reader.Read())
    {
        string myfield = reader["myfield"] == DBNull.Value ? null : (string)reader["myfield"];

        int SomeOtherField = reader["someotherfield"] == DBNull.Value ? 0 : (int)reader["someotherfield"];
    }
}

    Inserting

    string sql = "insert into mytable (MyField, MyOtherField) values (?, ?)";

// Dapper

using (OleDbConnection dbConn = new OleDbConnection("your connection string))
{
    dbConn.Open();
    dbConn.Execute(sql, new { MyField = "some value", MyOtherField = 3 });
}

// The "old-fashioned" way

using (OleDbConnection dbConn = new OleDbConnection("your connection string))
using (OleDbCommand dbCmd = dbConn.CreateCommand())
{
    dbConn.Open();
    dbCmd.CommandText = sql;
    dbCmd.Parameters.AddWithValue("MyField", "some value"));
    dbCmd.Parameters.AddWithValue("MyOtherField", 3));

    dbCmd.ExecuteNonQuery(sql);
}

    Access is also very picky about numeric types when writing code that moves data from objects to and from the database, if I remember correctly. You need to make sure that you are casting to and from exactly the correct types.

    • 0