How can I add user-supplied input to an SQL statement?

by

Use parameterized SQL.

Examples

(These examples are in C#, see below for the VB.NET version.)

Replace your string concatenations with @... placeholders and, afterwards, add the values to your SqlCommand. You can choose the name of the placeholders freely, just make sure that they start with the @ sign. Your example would look like this:

var sql = "INSERT INTO myTable (myField1, myField2) " +
          "VALUES (@someValue, @someOtherValue);";

using (var cmd = new SqlCommand(sql, myDbConnection))
{
    cmd.Parameters.AddWithValue("@someValue", someVariable);
    cmd.Parameters.AddWithValue("@someOtherValue", someTextBox.Text);
    cmd.ExecuteNonQuery();
}

The same pattern is used for other kinds of SQL statements:

var sql = "UPDATE myTable SET myField1 = @newValue WHERE myField2 = @someValue;";

// see above, same as INSERT

or

var sql = "SELECT myField1, myField2 FROM myTable WHERE myField3 = @someValue;";

using (var cmd = new SqlCommand(sql, myDbConnection))
{
    cmd.Parameters.AddWithValue("@someValue", someVariable);
    using (var reader = cmd.ExecuteReader())
    {
        ...
    }
    // Alternatively: object result = cmd.ExecuteScalar();
    // if you are only interested in one value of one row.
}

A word of caution: AddWithValue is a good starting point and works fine in most cases. However, the value you pass in needs to exactly match the data type of the corresponding database field. Otherwise, you might end up in a situation where the conversion prevents your query from using an index. Note that some SQL Server data types, such as char/varchar (without preceding “n”) or date do not have a corresponding .NET data type. In those cases, Add with the correct data type should be used instead.

Why should I do that?

Other database access libraries

More Related Contents:

  1. What are good ways to prevent SQL injection? [duplicate]
  2. How to use DbContext.Database.SqlQuery(sql, params) with stored procedure? EF Code First CTP5
  3. Get the generated SQL statement from a SqlCommand object?
  4. Pass table valued parameter using ADO.NET
  5. Is it necessary to manually close and dispose of SqlDataReader?
  6. Difference with Parameters.Add and Parameters.AddWithValue
  7. SQL injection on INSERT
  8. How to save image in database using C# [closed]
  9. SqlBulkCopy from a List
  10. Does using parameterized SqlCommand make my program immune to SQL injection?
  11. How to fill Dataset with multiple tables?
  12. ExecuteNonQuery returning -1 when using sql COUNT despite the query string
  13. How do I re-write a SQL query as a parameterized query?
  14. How do I translate a List into a SqlParameter for a Sql In statement? [duplicate]
  15. Add WHERE clauses to SQL dynamically / programmatically
  16. Check if a SQL table exists
  17. Enabling Foreign key constraints in SQLite
  18. How do I extract data from a DataTable?
  19. What ‘length’ parameter should I pass to SqlDataReader.GetBytes()
  20. How to give ADO.NET Parameters
  21. Do we have transactions in MS-Access?
  22. .NET Global exception handler in console application
  23. Under what circumstances is an SqlConnection automatically enlisted in an ambient TransactionScope Transaction?
  24. How do I get a human-readable file size in bytes abbreviation using .NET?
  25. Using statement vs. IDisposable.Dispose()
  26. The C# using statement, SQL, and SqlConnection
  27. String.Format – how it works and how to implement custom formatstrings
  28. How to check if the system audio is muted?
  29. .net connection pooling
  30. Why does var evaluate to System.Object in “foreach (var row in table.Rows)”?

Leave a Comment