Hello I'm wondering what is the best way to protect against SQL injection
in SqlDataAdapter
(as there is no way to use parameterized query)?
For example lets use this part of code:
da_services = new SqlDataAdapter("SELECT * from table WHERE column='" + textBox1.Text + "' AND column2='" + somestring + "'", conn);
scd_services = new SqlCommandBuilder(da_services);
dt_services = new DataTable();
da_services.Fill(dt_services);
dtg_services.DataSource = dt_services;
conn.Close();
Thank you for your time.
You can try accessing the SqlCommand object of the DataAdapter:
da_services = new SqlDataAdapter("SELECT * from table WHERE column=@column AND column2=@column2", conn);
da_services.SelectCommand.Parameters.AddWithValue("@column", textBox1.Text);
da_services.SelectCommand.Parameters.AddWithValue("@column2", somestring);
Collected from the Internet
Please contact [email protected] to delete if infringement.
Comments