Question
I am writing a C# code that connects to ODAC. I think my query got no errors, but I get this error, I don't know how to solve.
This is my query
https://stackoverflow.com/questions/13900906
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russiancomm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = '" + login_id +
"' AND APPID = '" + app_id + "' ;";
Can any one figure out what is wrong in here?
Solution
Your query is vulnerable for a security issue called SQL injection!
You should NEVER use string concatenation for building a query from strings (some SQL, some parameters)... Use always parameterized queries...
Sample code:
comm.BindByName = true;
comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = :login_id AND APPID = :app_id";
comm.Parameters.AddWithValue ("login_id", login_id);
comm.Parameters.AddWithValue ("app_id", app_id);
OTHER TIPS
Why there is a ; in your sql command? Try this;
comm.CommandText = "SELECT * FROM ZAEDBA WHERE USER_ID = '" + login_id + "' AND APPID = '" + app_id "';
By the way, you should always use parameterized queries. This clearly open for an sql injection. For your query, use like this;
string commandText = "SELECT * FROM ZAEDBA WHERE USER_ID = @login_id " + AND
+ "WHERE APPID = @app_id;";
command.Parameters.Add("@login_id", SqlDbType.Int);
command.Parameters["@login_id"].Value = login_id;
command.Parameters.Add("@app_id", SqlDbType.Int);
command.Parameters["@app_id"].Value = app_id;
