AddSqlParameter

 

Object and Type

 

Object  : FCSQLExec

Type     : Method

 

 

Prototype

 

Public Sub AddSqlParameter(ByVal value As Object)

 

 

Description

 

When executing SQL statements having user input it is best to use parameterized queries to avoid the potential for SQL injection attacks.

 

This method is used before calling Execute or ExecuteReturnRows to add sql query parameter values to the SQL query which is about to be executed. The SQL being executed needs to have parameter placeholders. Parameter placeholders are numbers starting with zero surrounded by curly braces. For example,

 

var sql = "Select count(*) from table_case where title = {0} or title = {1}"

SqlDB. AddSqlParameter(user_input1);

SqlDB.AddSqlParameter(user_input2);

SqlDB.Execute(sql);

 

Note: The type of the value being added as a SQL parameter needs to match the database field to which it is being applied. For example, you will receive an error if you apply a number parameter value to a string field.  

 

 

Parameters         

 

Parameter Name Required?             Description                                                                                          

value                                     Yes                         The sql query parameter value.