C#C
C#13mo ago
Hazzza

SQL: Trying to obtain all rows that have a primary key inside a inputted table

The code works if the Recipe string replaces the ? in the string. However, as I want to prevent SQL injection the RecipeString isn't treated as SQL so the ' ' either side of each name in RecipeString isn't identified in the SQL string hence returning no values. Hopefully you understand the issue. If anyone has any ideas on how to fix this it would be greatly appriciated. Thanks

Code:
C#
string _sSqlString = "SELECT * FROM IngredientRecipe WHERE ProductName IN (?)";

string RecipeString = "";

foreach(string name in Recipes.elements)
{
    if(name != "")
    {
        RecipeString += $"'{name}',";
    }
}
RecipeString = RecipeString.Remove(RecipeString.Length - 1);


string[] Parameters = new string[1];
Parameters[0] = RecipeString;

DataTable result = databaseUtils.ExecuteSqlQuery(_sSqlString, Parameters);


Example Recipe String is:
'bread','pizza'
Was this page helpful?