0 
        // Add into DB
        using (tblArtworkTemplatesTableAdapter tblAdapter = new tblArtworkTemplatesTableAdapter())
        {
            tblAdapter.Insert(DateTime.Now, "@specID");
            "@specID" = int.Parse(lstChooseSpec.SelectedValue)
        }

I know the code is wrong, just for illustration of my objective, how do I paramatise the input?

Improve this question

2 Answers 2

Reset to default
2

Generally it depends. If You are using any kind of ORM like LINQ to SQL or NHibernate, it will do it for You no questions asked. If YOu are doing it using Plain ADO objects (which I suppose is the case) then You will have to comeup with the Command (or SQLCommand or any other ICommand implementation) object and use SQLParameter class (or other parameter classes).

ICommand has the collection of parameters that You can arbitralily edit.

    SqlCommand cmd = new SqlCommand(
            "select * from STH where column = @SpecID", conn);

    //it might be useful to specify a type as well
    SqlParameter param  = new SqlParameter();
    param.ParameterName = "@SpecID";
    //I woudl use the TryParse method though
    param.Value         = int.Parse(lstChooseSpec.SelectedValue);

    cmd.Parameters.Add(param);
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

I'm using DAL, do I need to worry about paramatising inputs or will it do it for me?
Well it depends on the DAL. I do not know the API. Generally DAL do it for You they only require passing the regular C# data values and they care of parametrisation themselves
1

This line

"@specID" = int.Parse(lstChooseSpec.SelectedValue)

Is incorrect. You can't assign a value to a constant. You might mean something like

specId = int.Parse(lstChooseSpec.SelectedValue);

The rest of the code is confusing. Why are you parsing lstChooseSpec.SelectedValue to an integer, then trying to add it to the adapter as a DateTime? C# is strongly-typed: something is either an int or a DateTime, but cannot be both.

It might help if you could post the rest of the method.

Also, have a look at this overview on MSDN.

Improve this answer

1 Comment

I'm trying to insert two values, first is DateTime, the second is an integer. I want to make the second input into the insery query a parameter to avoid SQL injection

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.