c# - no value given fr one or more required parameters -


i'm trying prevent sql injections. doing right? (i'm using ms access.) should still use sqlparameter?

oledbparameter[] myparm = new oledbparameter[2]; myparm[0] = new oledbparameter("@userid", username.text); myparm[1] = new oledbparameter("@password", encode);  string querystr = "select * tmuser userid=@userid , password=@password";  oledbconnection conn = new oledbconnection(_connstr); oledbcommand cmd = new oledbcommand(querystr, conn);  conn.open(); oledbdatareader dr = cmd.executereader(); 

close!

string querystr = "select * tmuser userid=@userid , password=@password";  oledbconnection conn = new oledbconnection(_connstr); oledbcommand cmd = new oledbcommand(querystr, conn); cmd.parameters.addwithvalue("@userid", username.text); cmd.parameters.addwithvalue("@password", encode); 

the parameters part of command object , use parameters.addwithvalue method set parameter values have defined in query string.

by way, should using using statements encapsulate of objects, here typically do:

using (oledbconnection conn = new oledbconnection(_connstr)) using (oledbcommand = conn.createcommand()) {     conn.open();     cmd.commandtext = "select ...";     cmd.parameters.addwithvalue(...);      cmd.executereader();     //... } 

that way don't have worry cleaning resources if goes wrong inside or closing connection when done.


Comments

Popular posts from this blog

java - Spring Data JPA: Why findOne(id) executing delete query internally? -

python - Mongodb How to add addtional information when aggregating? -

java - Incorrect order of records in M-M relationship in hibernate -