c# - no value given fr one or more required parameters -
i'm trying prevent sql injections. doing right? (i'm using ms access.) should still use sqlparameter?
oledbparameter[] myparm = new oledbparameter[2]; myparm[0] = new oledbparameter("@userid", username.text); myparm[1] = new oledbparameter("@password", encode); string querystr = "select * tmuser userid=@userid , password=@password"; oledbconnection conn = new oledbconnection(_connstr); oledbcommand cmd = new oledbcommand(querystr, conn); conn.open(); oledbdatareader dr = cmd.executereader();
close!
string querystr = "select * tmuser userid=@userid , password=@password"; oledbconnection conn = new oledbconnection(_connstr); oledbcommand cmd = new oledbcommand(querystr, conn); cmd.parameters.addwithvalue("@userid", username.text); cmd.parameters.addwithvalue("@password", encode); the parameters part of command object , use parameters.addwithvalue method set parameter values have defined in query string.
by way, should using using statements encapsulate of objects, here typically do:
using (oledbconnection conn = new oledbconnection(_connstr)) using (oledbcommand = conn.createcommand()) { conn.open(); cmd.commandtext = "select ..."; cmd.parameters.addwithvalue(...); cmd.executereader(); //... } that way don't have worry cleaning resources if goes wrong inside or closing connection when done.
Comments
Post a Comment