This is of course a SQL injection attack waiting to happen.
This is of course a SQL injection attack waiting to happen.....
Thank you for pointing that out! Will it be better if I do something like this? If (txtName.
Text! ="") { selectCommand. CommandText += "name=@name "; selectCommand.Parameters.
Add("@name",txtName. Text); } – nomail Jul 19 '10 at 8:46 Yes, that would be better. Always sanitize your inputs!
– Colin Jul 19 '10 at 8:53.
I would break this up and call separate functions depending upon what filter you want to apply: public void GetData(string name, string surname, string company) { DbDataCommand command; if (name=! "" && surname! ="" && company!
="") { command = GetDataFilteredByFirstNameSurnameCompany(name, surname, company); } if (name=! "" && surname! ="") { command = GetDataFilteredByFirstNameSurname(name, surname); } ... DbDataReader reader = command.ExecuteReader(); ... } Each Filter function would then contain simple code to generate command objects: private DbCommand GetDataCommandFilteredByFirstNameSurnameCompany(string name,string surname, string company) { DbCommand command = conn.CreateCommand(); command.
CommandText = @" SELECT * FROM some_table WHERE name = @name AND surname = @surname AND company = @company"; DbParameter parameter = command.CreateParameter(); parameter. Name = "name"; parameter. Value = name; command.Parameters.
Add(parameter); parameter = command.CreateParameter(); parameter. Name = "surname"; parameter. Value = surname; command.Parameters.
Add(parameter); parameter = command.CreateParameter(); parameter. Name = "company"; parameter. Value = company; command.Parameters.
Add(parameter); return command; }.
M_arnell! Thank you for your reply! The thing is that I wanted to create a query dynamically.As in this example I use only 3 parameters it's not hard, while in the project I'm currently on I might need up to 7 parameters and they are all independent.
– nomail Jul 19 '10 at 10:00.
The thing is that it uses loads of memory(as I found somewhere over the net it uses almost 4x memory rather than when you are using DataReader). What I was thinking is to make a function that will use DataReader for the SQL SELECT command. But I feel that it's a wrong way.
First of all I am not using parametrs. The second thing is that it looks kinda dirty. Can anyone please suggest something.
I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.