Home/ Questions/Q 3630820
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-19T00:19:05+00:00

I’m writing my first database application. It’s a C# WinForms application with a SQLite

  • 0

I’m writing my first database application. It’s a C# WinForms application with a SQLite database.

I’m attempting to write a SQLite query that uses parameters with an UPDATE/WHERE command instead of an INSERT command, which is what you normally see.

Here’s the link I’m using as a template. See Listing 14-2.

http://en.csharp-online.net/ASP.NET_Security_Hacks%E2%80%94Avoiding_SQL_Injection

Can someone provide some insight on how to change the query in the link to use a UPDATE/WHERE statement instead of the INSERT statement?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Well that article is just pointing out that you will want to write you queries as parameterized queries to avoid sql injection attacks. So the query logic is the same as you would normally write but instead of using string concatenation to put your dynamic values in you use variables following the syntax “@someVariableName” and then you add your dynamic values in as parameters on the sqlCommand object.

    Here is a link for a walk through on how to do this for SQLite: Parameterized Queries

    EDIT: Had to find a new reference for this answer as old reference died.

    • 0