Your question raises a few questions and quite a big concern.
It looks like you are constructing an SQL query, but you are exposing yourself to SQL injection (assuming that at some point the email is going to be populated dynamically).
Where are you writing this code? I'm guessing in a template file?
Sql query email escape '@'
Hello folks,
This is my first post in umbraco forum. i am stuck with a problem for sometime and can't see a solution...hope someone here can help me.
var email = "[email protected]"; var sqlquery = "Delete From Table Where email = '" + email + "'"; db.Execute(sqlquery);
this statement fails with "@" sign in email address. how can i escape this character and make the query succeed?
The error message: Parameter '@' specified but none of the passed arguments have a property with this name
Thanks in advance.
Hi Romin,
Your question raises a few questions and quite a big concern.
It looks like you are constructing an SQL query, but you are exposing yourself to SQL injection (assuming that at some point the email is going to be populated dynamically).
Where are you writing this code? I'm guessing in a template file?
Thanks,
Nik
@Nik Thanks for the reply. I am writing this query in a surface controller.
I found the solution in case someone else face the same issue.
var sql_query = new Sql("DELETE FROM Table").Where("UserName=@0", email).Where("Id=@0", id);
is working on a reply...