Vb.net Mysql: Escape String
https://stackoverflow.com/questions/12876725
-
07-07-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian题
This is a realy quick question
One way to update or insert data in a database is to use prepared statements like this:
Dim cmd As New MySqlCommand("UPDATE `table` SET `field` = ?value", con)
cmd.Parameters.AddWithValue("?value", "user given value")
cmd.ExecuteNonQuery()
One would do that to prevent any chances of SQL injections. my question is if i use the mysqlHelper Class to escaps strings. It it equalivant to prepared statements? In other words is SQL injection still possible?
Here is how i use the escape character method
Dim cmd As New MySqlCommand("UPDATE `table` SET `field` =" & MySqlHelper.EscapeString("user given value"),con)
cmd.ExecuteNonQuery()
解决方案
Yes it does but generally your better off doing it the proper way by using parameters. Using the above is just not advised.
不隶属于 StackOverflow
