database - How to avoid SQL Injection with Update command in Npgsql? -


i trying use npgsql postgresql client accomplish 2 things:

  1. avoid sql injection, and
  2. manage data containing single quote '

i cannot see how either :(

postrgesql version 9.1

in below code, dx.chronic of type bool? , cdesc of table dx may contain single quote, "tom's dog". clearly, updatecmd, written, fail when npgsql/postgresql hits single quote.

string schronic = (dx.chronic == null) ? "null" : dx.chronic.tostring();   string updatecmd = "update dx "+             "set chronic = " + schronic  +             " (trim(lower(cdesc)), trim(cicd9)) = "+             " ('"+dx.description.trim().tolower()+"','"+dx.icd9.trim() +"');";   using (npgsqlcommand command = new npgsqlcommand(updatecmd, conn))             {                command.parameters.add(new npgsqlparameter("value1", npgsqldbtype.text));                 command.parameters[0].value = "big tom's dog";               ....... ? ? ? ? ? ? ? ? ? ? ? ? ? ...................

how done? appreciated.

tia

as @tadman says, should never use string concatenation compose query - source of sql injection. however, there's no need prepare statement. use parameter placeholders in query, following should work:

string updatecmd = "update dx set chronic = @p1 (trim(lower(cdesc)), trim(cicd9)) = (@p2);";  using (npgsqlcommand command = new npgsqlcommand(updatecmd, conn)) {     cmd.parameters.addwithvalue("p1", "chronic");     cmd.parameters.addwithvalue("p2", "value");     cmd.executenonquery(); }

Comments

Post a Comment

Popular posts from this blog

twig - Using Twigbridge in a Laravel 5.1 Package -

i'm trying create laravel 5.1 package uses twigbridge instead of .php views. can normal .php views display fine, when try make use of .twig templates i'm met error. possible use twigbridge templates when creating views laravel package or pretty stuck blade , php ? edit 1: loading twig template without extending works. it's when start using {% extends 'file' %} error comes out. i error error loading /virtual/laravel/packages/username/mypackage/src/views/sample.twig: template "templates.master" not defined () in "/virtual/laravel/packages/username/mypackage/src/views/sample.twig" @ line 1. my folders username |_ mypackage |_ src |_ controllers - samplecontroller.php |_ views |_ templates - master.twig - sample.twig twig template sample.twig {% extends 'templates.master' %} {% block content %} {{ parent()
Read more

firemonkey - How do I make a beep sound in Android using Delphi and the API? -

after having @ androidapi.jni.media.pas, coded following procedure: uses androidapi.jnibridge, androidapi.jni.media; procedure sound(aduration: integer); implementation procedure sound(aduration: integer); var volume: integer; streamtype: integer; tonetype: integer; tonegenerator: jtonegenerator; begin volume := tjtonegenerator.javaclass.max_volume; streamtype := ? tonetype := tjtonegenerator.javaclass.tone_dtmf_0; tonegenerator := tjtonegenerator.javaclass.init(streamtype, volume); tonegenerator.starttone(tonetype, aduration); end; but can't figure out how set value streamtype? thanks the stream type identify stream on beep must played. integer between 0 , 4 : stream_voice_call (0) stream_system (1) stream_ring (2) stream_music(3) stream_alarm(4)
Read more

jdbc - Not able to establish database connection in eclipse -

i want make new database connection (db2) in eclipse purpose of using jpa. in jpa perspective, in data source explorer view, when try create new db connection, receive following logs when try ping server. org.eclipse.datatools.connectivity.exceptions.dbnotstartexception: no start database command issued. errorcode = -4499, sqlstate = 08001. @ org.eclipse.datatools.enablement.ibm.db2.internal.luw.jdbcluwjdbcconnection.getconnectexception(jdbcluwjdbcconnection.java:74) @ org.eclipse.datatools.connectivity.ui.pingjob.gettestconnectionexception(pingjob.java:81) @ org.eclipse.datatools.connectivity.ui.pingjob.run(pingjob.java:63) @ org.eclipse.core.internal.jobs.worker.run(worker.java:54) caused by: com.ibm.db2.jcc.am.ro: [jcc][t4][2043][11550][4.8.87] exception java.net.connectexception: error opening socket server example.example.com/51.37.93.117 on port 50,000 message: connection timed out: connect. errorcode=-4499, sqlstate=08001 @ com.ibm.db2.jcc.am.gd.a(gd.j
Read more