I have two SQL statements in my C # code to get some values. I know that they are open for SQL injection, since I do not use parameters, but I'm not sure if I am implementing them correctly.
(Note: each of them is in cycles that cycle through the rows of the data table) First example:
string sql2 = "select max(day) as day from users u join days d on d.User_ID = u.id where u.ActiveUser = 1 and u.id = " + Users["ID"].ToString(); command.CommandText = sql2; string dt = command.ExecuteScalar().ToString();
In the above description, it retrieves the date-time and assigns the string dt to it. All that has an identifier or identifier is bigint.
string sql = "SELECT MAX(Day) FROM Days WHERE Project_ID IN (SELECT ID FROM Projects WHERE Parent_ID = -1 AND ID = " + row["ID"] + ") HAVING MAX(Day) < DATEADD(dd, -730, getdate())"; command.CommandText = sql; object val = command.ExecuteScalar();
The above statement is the same as the first statement, since it retrieves the datetime value. All that has an identifier or identifier is bigint.
That's what I came up with for the first, did I miss something or did something wrong?
string sql2 = "select max(day) as day from users u join days d on d.User_ID = u.id where u.ActiveUser = 1 and u.id = @userID"; using (conn) { using (SqlCommand cmd = new SqlCommand(sql2, conn)) { command.Parameters.AddWithValue("@userID", drUsers["ID"]); conn.Open(); dt = (DateTime)command.ExecuteScalar(); } }
Note. I asked a question last week about DateTime conversions, and there was a problem that could not be resolved, so I might just have to use the string version of the returned datetime. Will it affect anything?
c # sql sql-server
pfinferno
source share