如何参数化我的查询? [英] How do I parameterize my query?
问题描述
Hi ,
Hi,
我正在使用SSIS ScriptTask进行文件传输,在代码内部我有一些将数据插入数据库表的查询。问题是由于SQL注入需要参数化查询。如果
我没有参数化它,我就无法运行程序。
I’m using SSIS ScriptTask for file transferring purposes and inside of the code I have a little query that inserts data into database table. The problem is that the query needs to be parameterized because of SQL injection. I’m not able to run the program if I don’t parameterize it.
我的查询是:
My query is:
{
string query ="Insert into"+ SchemaName +"。 "+ TableName +"("+ ColumnList +")";
string query = "Insert into " + SchemaName + "." + TableName + " (" + ColumnList + ") ";
query + ="VALUES('"+ line.Replace(FileDelimiter,"','")+"')";
query += "VALUES(‘" + line.Replace(FileDelimiter, "‘,'") + "‘)";
/ / MessageBox.Show(q uery.ToString());
// MessageBox.Show(query.ToString());
SqlCommand myCommand1 = new SqlCommand(query,myADONETConnection);
SqlCommand myCommand1 = new SqlCommand(query, myADONETConnection);
myCommand1.ExecuteNonQuery();
myCommand1.ExecuteNonQuery();
}
counter ++;
counter++;
我有基本的sql知识,我试图找到关于这个主题的一些教程,但我完全无法理解它。
I have basic knowledge of sql and I tried to find some tutorials on this topic, but I was not able to understand it completely.
感谢任何帮助!!
Any help is appreciated!!
推荐答案
你可能已经看过这些文章了?
如何:执行参数化查询
使用SQL Server查询和存储过程的参数
HTH,
这篇关于如何参数化我的查询?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!