C
C#8mo ago
joules

❔ Is this enough to clean a database entry?

I'm entering user-defined text into an SQL table but dont want my tables getting dropped. Does this work? 
if (unsafeText.Contains('\'', '\"', '`'))
                {
                    //give error message
                    return;
                }
if (unsafeText.Contains('\'', '\"', '`'))
                {
                    //give error message
                    return;
                }
8 Replies
Pobiega
Pobiega8mo ago
How are you doing the insert? most SQL clients have ways to parameterize the query, so you are safe from injection
joules
joules8mo ago
it's a text-based command through Microsoft.Data.Sqlite
Pobiega
Pobiega8mo ago
so a SqlCommand? 
private static void UpdateDemographics(Int32 customerID,
    string demoXml, string connectionString)
{
    // Update the demographics for a store, which is stored
    // in an xml column.
    string commandText = "UPDATE Sales.Store SET Demographics = @demographics "
        + "WHERE CustomerID = @ID;";

    using (SqlConnection connection = new SqlConnection(connectionString))
    {
        SqlCommand command = new SqlCommand(commandText, connection);
        command.Parameters.Add("@ID", SqlDbType.Int);
        command.Parameters["@ID"].Value = customerID;

        // Use AddWithValue to assign Demographics.
        // SQL Server will implicitly convert strings into XML.
        command.Parameters.AddWithValue("@demographics", demoXml);

        try
        {
            connection.Open();
            Int32 rowsAffected = command.ExecuteNonQuery();
            Console.WriteLine("RowsAffected: {0}", rowsAffected);
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
    }
}
private static void UpdateDemographics(Int32 customerID,
    string demoXml, string connectionString)
{
    // Update the demographics for a store, which is stored
    // in an xml column.
    string commandText = "UPDATE Sales.Store SET Demographics = @demographics "
        + "WHERE CustomerID = @ID;";

    using (SqlConnection connection = new SqlConnection(connectionString))
    {
        SqlCommand command = new SqlCommand(commandText, connection);
        command.Parameters.Add("@ID", SqlDbType.Int);
        command.Parameters["@ID"].Value = customerID;

        // Use AddWithValue to assign Demographics.
        // SQL Server will implicitly convert strings into XML.
        command.Parameters.AddWithValue("@demographics", demoXml);

        try
        {
            connection.Open();
            Int32 rowsAffected = command.ExecuteNonQuery();
            Console.WriteLine("RowsAffected: {0}", rowsAffected);
        }
        catch (Exception ex)
        {
            Console.WriteLine(ex.Message);
        }
    }
}
joules
joules8mo ago
it's not cute 
public static bool UpdateGuildStringField(ulong serverId, string fieldToUpdate, string newValue)
    {
        var sqliteCommand = ServerDataConnection.CreateCommand();
        try
        {
            sqliteCommand.CommandText =
                @$"UPDATE servers
                SET {fieldToUpdate} = '{newValue}'
                WHERE id is '{serverId}'";
            sqliteCommand.ExecuteNonQuery();
            return true;
        }
        catch
        {
            return false;
        }
    }
public static bool UpdateGuildStringField(ulong serverId, string fieldToUpdate, string newValue)
    {
        var sqliteCommand = ServerDataConnection.CreateCommand();
        try
        {
            sqliteCommand.CommandText =
                @$"UPDATE servers
                SET {fieldToUpdate} = '{newValue}'
                WHERE id is '{serverId}'";
            sqliteCommand.ExecuteNonQuery();
            return true;
        }
        catch
        {
            return false;
        }
    }
Pobiega
Pobiega8mo ago
look at this example never ever use string interpolation or concats to make a query use a parameterized query
joules
joules8mo ago
i see
Angius
Angius8mo ago
Parametrized queries are the one and only proper way to insert parameters into the query
Accord
Accord8mo ago
Was this issue resolved? If so, run /close - otherwise I will mark this as stale and this post will be archived until there is new activity.
Want results from more Discord servers?
Add your server
More Posts
❔ Am I doing event subscription correctly?I have 2 singleton classes SingletonA, working mostly alone and has events and the other, SingletonBA quick question, how do we edit the value of an attribute in an input file?My prof states that items named, appetizer, entree, and dessert must have values of 0, 1, and 2, whe❔ Need Docker asstianceDocker advice I have a multi-project solution consisting of: 1x Maui App project (desktop for now, ❔ PASCAL While Statement```PROCEDURE DisplayBFTable(minA, maxA: INTEGER; VAR result: INTEGER); VAR bRange: INTEGER; BEGI❔ C# Self Signed certificate with SslStreamMy Code: ```cs var listener = new TcpListener(IPAddress.Any, 443); // Port 443 is typic✅ Dapper relation tablesIn my domain I have this class ```csharp public class UserModel : BaseModel { public required st❔ ✅ SreamReader vs. TextReaderGiven i want to program a reader that is efficient so i will read by a character not by line or whol❔ my string event click isn't workingim trying to include this div inside my gridData, but once i store it in shareBtnvariable it doesnot❔ Why is the Ecxepction not written in the Out TextWriter?I try to write the Console to a File: ```cs private static void SetupConsoleOutput() { i❔ Hi need help with code for arrays in unityi have to code a simple game for school where 3 different items r dropped randomly across a plane an