I've got a user table for comments to my web site. I want to check a new comment to insure that I don't have duplicate names with the same email. I've written a method that calls the following:
string theSql = "select userEmail from userComments " +
"where userName = \'" + name + "\' and userEmail != \'" + email + "\'";
IList<string> result = theDB.Fetch<string>(theSql);
If the email is '[email protected]' it throws an error that parameter @foo does not have a value. When I run the same code in SQL Server Management studio it works fine. I'm using version 7.28
Please, please, please, read the comments from Brendan and Daniel carefully.
You're current approach is potentially open to SQL injection attack depending where the values for "name" and "email" are coming from. Even wrapping in ' won't stop someone putting ' in inputs and escaping your SQL to cause harm.
Brendans approach is the better one as as it is using parameters to safely query the data.
SQL in Razor Script
I've got a user table for comments to my web site. I want to check a new comment to insure that I don't have duplicate names with the same email. I've written a method that calls the following:
If the email is '[email protected]' it throws an error that parameter @foo does not have a value. When I run the same code in SQL Server Management studio it works fine. I'm using version 7.28
Hey Jon,
have a look at the docs below:
https://our.umbraco.com/documentation/Tutorials/Creating-Tables-for-Umbraco-with-PetaPoco/
It seems like you're looking for something like this:
I hope this helps...
Thanks Brendan - that fixed it. Thanks also Dan and Nik for your help.
If Brendan's answer doesn't work for you, you can try formating ths string with $.
For example:
Don't forget to wrap the strings in single quotes.
Hey Jon,
Please, please, please, read the comments from Brendan and Daniel carefully.
You're current approach is potentially open to SQL injection attack depending where the values for "name" and "email" are coming from. Even wrapping in
'
won't stop someone putting'
in inputs and escaping your SQL to cause harm.Brendans approach is the better one as as it is using parameters to safely query the data.
Thanks
Nik
Info on SQL injection
is working on a reply...