tags:

views:

51

answers:

3
+1  Q: 

Passing query as parameter.

I know, it is not recommended. The possible risk of SQL Injection.

In my present app., I created a class containing reusable functions. One such function is this:

public static Int32 InsertNewRecord(string myQuery)
{
    ModCon.OpenConnection();
    MySqlCommand cmdInsert = new MySqlCommand(myQuery, ModCon.myCN);
    try
    {
        Int32 RecordsAffected = cmdInsert.ExecuteNonQuery();
        return RecordsAffected;
    }
    catch (Exception ex)
    {
        MessageBox.Show(ex.ToString(), "Error:", MessageBoxButtons.OK, MessageBoxIcon.Error);
        return 0;
    }
    finally
    {
        cmdInsert.Dispose();
        ModCon.CloseConnection();
    }            
}

This class has many such methods that can be reused. There is a method to fill a DataGridView, where in I pass the DataGridView name and SQL query to populate it.

My application is at present a standalone Windows app. What could be a professional way to achieve this without the fear of SQL Injection?

The methods above are in a class and whenever I need these methods, I create an instance of this class in another class.

+1  A: 

You have either two choices:

  1. You can create descriptions of your queries. You can do this by creating an InsertQuery class with a table name. With this you can add filters where you e.g. create a class EqualFilter which you can then compose with an AndFilter to get two equal comparisons;

  2. If you think that's a lot of work, it is. An alternative is to go with an ORM framework like NHibernate or the Entity Framework. This does all this stuff for you, and a lot more.

Pieter  2010-10-30 17:58:56
A: 

You probably want to research on usage of regex in C#. There is bunch of resources on Google that u can easily find out. Just prevent any suspicious characters like %,=,?,& ... (which may lead to SQL injection query) that being passed to parameter myQuery of your method. That should do find. Maybe it's not professional way to do this but... i am just saying. Good luck.

SilverTsuki  2010-10-30 18:02:48
@Silver: Thanks for the suggestion, but tell me the professional way.
RPK  2010-10-30 18:08:04
+1  A: 

Don't pass your parameters with your query. Create System.Data.SqlClient.SqlCommand and use Command.Parameters.Add(... to add parameters. This completely prevents SQL Injection.

Kamyar  2010-10-30 18:04:36

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?