Table of Contents
Advertisement
}
private void button1_Click(object sender, EventArgs e)
{
}
}
}
The application running is shown below:
Figure 20.41. World Database Application
20.2.4.1.4. Working with Parameters
This part of the tutorial shows you how to use parameters in your Connector/Net application.
Although it is possible to build SQL query strings directly from user input, this is not advisable as it does
not prevent erroneous or malicious information being entered. It is safer to use parameters as they will
be processed as field data only. For example, imagine the following query was constructed from user
input:
string sql = "SELECT Name, HeadOfState FROM Country WHERE Continent = "+user_continent;
If the string
over the string entered by the user. The user could enter a string that generates a runtime error, or in
the worst case actually harms the system. When using parameters it is not possible to do this because
a parameter is only ever treated as a field parameter, rather than an arbitrary piece of SQL code.
The same query written user a parameter for user input would be:
string sql = "SELECT Name, HeadOfState FROM Country WHERE Continent = @Continent";
Note that the parameter is preceded by an '@' symbol to indicate it is to be treated as a parameter.
catch (Exception ex)
{
label2.Text = ex.ToString();
}
daCountry.Update(dsCountry, "Country");
label2.Text = "MySQL Database Updated!";
came from a Text Box control, there would potentially be no control
user_continent
Connector/Net Tutorials
1862
Advertisement
Chapters
Table of Contents
Troubleshooting
