asked on
SqlParameter help
I've got a database object that I use for my connection layer and in this layer I'm attempting to involve the use of sql parameters. My problem is that I'm making it very general so that it can be easily reused. Here is my code.
public void Insert(Hashtable ht)
{
SqlDataAdapter sd = new SqlDataAdapter();
sd.InsertCommand = this.myConnection.CreateCo
sd.InsertCommand.CommandTe
this._addParams(sd.InsertC
sd.InsertCommand.ExecuteNo
}
private void _addParams( SqlCommand cmd, Hashtable ht)
{
IDictionaryEnumerator myEnum = ht.GetEnumerator();
while(myEnum.MoveNext())
{
cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());
cmd.Parameters["@" + myEnum.Key.ToString()].Val
}
}
My question is that normally this line:
cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());
would have 4 parameters that would include a SqlDbType parameter and a length. Because this is general I left it out. Am I still inviting sql Injection as a possible problem?
Anyone have some ideas on how to make this more robust?
Thanks
public void Insert(Hashtable ht)
{
SqlDataAdapter sd = new SqlDataAdapter();
sd.InsertCommand = this.myConnection.CreateCo
sd.InsertCommand.CommandTe
this._addParams(sd.InsertC
sd.InsertCommand.ExecuteNo
}
private void _addParams( SqlCommand cmd, Hashtable ht)
{
IDictionaryEnumerator myEnum = ht.GetEnumerator();
while(myEnum.MoveNext())
{
cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());
cmd.Parameters["@" + myEnum.Key.ToString()].Val
}
}
My question is that normally this line:
cmd.Parameters.Add("@" + myEnum.Key.ToString(), myEnum.Key.ToString());
would have 4 parameters that would include a SqlDbType parameter and a length. Because this is general I left it out. Am I still inviting sql Injection as a possible problem?
Anyone have some ideas on how to make this more robust?
Thanks
C#
Last Comment
ptmcomp