I posted a message in the SQL forum but I think it was the wrong place. This is my problem. When I do an ExecuteNonQuery statement string from a c# client I am adding C# variables to the hard coded ExecuteNonQuery statement from the client as such:
string sqlQuery = "UPDATE rights SET category_key = " + toCat + " WHERE rights_key = @rights_key"; QueryContainer Instance = new QueryContainer(sqlQuery); ExecuteNonQuery(sqlQuery);
Also when I do an SQL ExecuteScaler statement I am using from a C# client I am adding C# variables to the hard coded values in the SQL statement Execute ExecuteScaler client like this:
queryString.Append(" SELECT isnull(");
queryString.Append(" (SELECT CASE WHEN convert(smalldatetime, '" + valDateMaterialRequired + "') < (getdate() + isNull(hier_asp_config.late_days_num, 3)) THEN '1' ELSE '0' END");
queryString.Append(" FROM hier_asp_config ");
queryString.Append(" WHERE asp_key = " + aspKey + " )");
queryString.Append(" , CASE WHEN convert(smalldatetime, '" + valDateMaterialRequired + "') < (getdate() + 3) THEN '1' ELSE '0' END)");
return ExecuteScaler(queryString.ToString()).ToString();Now in the Class that calls the actual SQL I am using these techniques:
protected int ExecuteNonQuery(string queryString)
{
int returnValue = 0;
if (!_iserror)
{
if (_trace)
DoTrace("TAMIS.Data.Loader.ExecuteNonQuery", queryString);
if (_connection == null || _connection.State == ConnectionState.Closed)
{
OpenConnection();
}
DbCommand command = _provider.CreateCommand();
command.Connection = _connection;
command.CommandText = queryString;
command.CommandType = CommandType.Text;
if (_useTransaction) { command.Transaction = _transaction; }
try
{
returnValue = command.ExecuteNonQuery();
}
catch (Exception e)
{
if (e is EntryPointNotFoundException)
throw e;
//if (_useTransaction == true)
// _transaction.Rollback();
RollBack();
LogBLL bll = new LogBLL();
bll.WriteErrorLog(e);
_iserror = true;
}
finally
{
if ((!KeepAlive && _connection.State == ConnectionState.Open) || _iserror == true)
{
CloseConnection();
}
}
}
else
{
returnValue = -1;
}
return returnValue;
}And this:
protected object ExecuteScaler(string queryString)
{
object returnValue = null;
if (!_iserror)
{
if (_trace)
{ DoTrace("TAMIS.Data.Loader.ExecuteScalar", queryString); }
if (_connection == null || _connection.State == ConnectionState.Closed)
{
OpenConnection();
}
DbCommand command = _provider.CreateCommand();
command.Connection = _connection;
command.CommandText = queryString;
command.CommandType = CommandType.Text;
if (_useTransaction) { command.Transaction = _transaction; }
try
{
returnValue = command.ExecuteScalar();
}
catch (Exception ex)
{
if (ex is EntryPointNotFoundException)
throw ex;
//if (_useTransaction == true)
//_transaction.Rollback();
RollBack();
LogBLL bll = new LogBLL();
bll.WriteErrorLog(ex);
_iserror = true;
}
finally
{
if ((!KeepAlive && _connection.State == ConnectionState.Open) || _iserror == true)
{
CloseConnection();
}
}
}
else
{
returnValue = -1;
}
return returnValue;
}These are clearly giving me SQL injection errors. In my case I cant change the code to stored procedures like they should be so How do I make the C# variable values from my client calling code and still work but not give me SQL injection errors.