Menu
What I am trying to do is create some arbitrary sql command with parameters, set the values and types of the parameters, and then return the parsed sql command - with parameters included. I will not be directly running this command against a sql database, so no connection should be necessary. So if I ran the example program below, I would hope to see the following text (or something similar):
WITH SomeTable (SomeColumn)
AS
(
SELECT N':)'
UNION ALL
SELECT N'>:o'
UNION ALL
SELECT N'^_^'
)
SELECT SomeColumn FROM SomeTable
And the sample program is:
using System;
using System.Data;
using System.Data.SqlClient;
namespace DryEraseConsole
{
class Program
{
static void Main(string[] args)
{
const string COMMAND_TEXT = @"
WITH SomeTable (SomeColumn)
AS
(
SELECT N':)'
UNION ALL
SELECT N'>:o'
UNION ALL
SELECT @Value
)
SELECT SomeColumn FROM SomeTable
";
SqlCommand cmd = new SqlCommand(COMMAND_TEXT);
cmd.CommandText = COMMAND_TEXT;
cmd.Parameters.Add(new SqlParameter
{
ParameterName = "@Value",
Size = 128,
SqlDbType = SqlDbType.NVarChar,
Value = "^_^"
});
Console.WriteLine(cmd.CommandText);
Console.ReadKey();
}
}
}
Is this something that is achievable using the .net standard libraries? Initial searching says no, but I hope I'm wrong.
413
A SqlCommand object allows you to specify what type of interaction you want to perform with a database. For example, you can do select, insert, modify, and delete commands on rows of data in a database table.
AddWithValue replaces the SqlParameterCollection. Add method that takes a String and an Object. The overload of Add that takes a string and an object was deprecated because of possible ambiguity with the SqlParameterCollection.
Command objects use parameters to pass values to SQL statements or stored procedures, providing type checking and validation. Unlike command text, parameter input is treated as a literal value, not as executable code.
You have a mistaken notion of how parameterized queries work. The "parsed text" you speak of is never created, and parameter values are never substituted directly into the query string.
That's why it's so important to use parameterized queries — you have complete segregation of query data from query code. Data is data, code is code, and never the twain shall meet. Thus, there is no possibility for sql injection.
What it means is that if you have a CommandText like this:
SELECT SomeColumn FROM SomeTable WHERE ID= @ID
instead of ultimately running a query that looks like this:
SELECT SomeColumn FROM SomeTable WHERE ID= 123
you actually run something more like this:
DECLARE @ID Int
Set @ID = RetrieveQueryDataItem("@ID")
SELECT SomeColumn FROM SomeTable WHERE ID= @ID
Now, this isn't exactly what happens; the engine doesn't transform the code like that. Instead, it uses the sp_executesql procedure. But this should help you understand what's going on.
154
Joel Coehoorn is right, it's not just a simple string substitution or escape character adding, etc.
You can, however, view your parameters to see if your values are as you want them:
foreach (IDataParameter i in cmd.Parameters)
{
Console.WriteLine(i.Value.ToString());
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
