![]() ![]() I'm using below flexible MySQL insert function, which enters a record in a given table. I was banging my head against the wall with this same issue and being new to MySql I hadn't realized it didn't support paramertized queries.I want to insert rows in a database table with the precaution of SQL-injection. Thank you so much for posting this (and thank the lord for google for helping me find this post). Not sure I am going to be able to figure out how to get it to work, but I will try. What is Prepared Statement A prepared statement (also known as parameterized statement) is simply a SQL query template containing placeholder instead of the actual parameter values. Thanks Chris, I will have to give it a shot. PHP MySQL Prepared Statements In this tutorial you will learn how to use prepared statements in MySQL using PHP. Does anyone know of a similar library for interbase/firebird so I can use named parameters? Thanks I am having the same problems with interbase/firbird. Glad to know my asp.net thread was of use to someone else as well as me. Just a thought! I've been using the library for a project I've been working on, and it's worked great. It also supports name parameters, which could certainly make the code easier to understand and update. Im looking for a prepared statement with mysqli (Important, not PDO, because I can't use it and can't transfer some PDO code to mysqli.), where i can insert on long query with a lot of values (about 2000). If LASTINSERTID(expr) was used to generate the value of AUTOINCREMENT, it returns the value of the last expr instead of the generated AUTOINCREMENT value. NET, so you don't have to use ODBC or ODBC drivers. Performing an INSERT or UPDATE statement using the LASTINSERTID() MySQL function will also modify the value returned by mysqliinsertid(). You should look into using the ByteFX MySQL library. Having no previous experiences with parameters and the question mark, I simply thought it would safely replace the ? with my value, but still would require the quotes for string values.ĭon't make the same mistake! It's a stupid one ) And it worked!ġOdbcCommand insertCmd = new OdbcCommand( "INSERT INTO zosa_Users(UserVNaam, UserNaam, UserKlasNr, UserKlas) VALUES(?, ?, ?, ?) ", zosaDb) Ħ return insertCmd Such a small thing, but nowhere I managed to find this, nobody ever posted to watch out for this. But today I tried something else, remove the single quotes. Did I add my parameters in a wrong way? Is there something wrong with MyODBC? After having done about everything I could think of, it was in the middle of the night and I went to bed. This is what I had (I returned an SQL query string at first):ġ return String.Format( "INSERT INTO zosa_Users(UserVNaam, UserNaam, UserKlasNr, UserKlas) VALUES(') ", strFName, strGeslacht, intKlas, klKlas.Id) And I changed it to:ġOdbcCommand insertCmd = new OdbcCommand( "INSERT INTO zosa_Users(UserVNaam, UserNaam, UserKlasNr, UserKlas) VALUES('?', '?', ?, ?) ", zosaDb) Ģ( new OdbcParameter( "", strFName)) ģ( new OdbcParameter( "", strGeslacht)) Ĥ( new OdbcParameter( "", intKlas)) ĥ( new OdbcParameter( "", klKlas.Id)) Ħ return insertCmd What did this insert in my database? Well it added a question mark ) No problem I thought, this would be a one-minute fix. But MySQL is tricky, it doesn't support named parameters, so you have to use a question mark and add parameters in the right order. ![]() ![]() So, not having heard of such thing as parameterized queries, I created my SQL statements the same way in C#, until I read about this practice being "not done". You simply build your own SQL string and make sure it doesn't contain anything harmful. I come from a PHP background, where there is no such thing as parameterized queries. Today I was looking over a project I'm working on currently, more specifically, at the SQL queries in it. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |