Hello,
Could anyone tell me a way to prevent sql injection when building queries for SQLite where the WHERE clause has an "myval IN (string_1, ... , string_n)" condition ?
I though about dynamically building the command text with annotations and adding the parameters for those annotations from the string list. Is there an easier way ?
Thanks.
No, there's no easier way. Don't make a list of dangerous characters. Just use command with parameters.
using (var conn = new SQLiteconnection(connectionString))
using (var command = conn.CreateCommand())
{
conn.Open();
command.CommandText = "select name from persons where id = @id";
command.Parameters.AddWithValue("@id", 5);
using (var reader = command.ExecuteReader())
{
while (reader.Read())
{
}
}
}