sp_executesql

-

SQL Server lets you execute dynamic SQL with the EXEC command. However, if you're accepting any user input as part of the query, you'll be subject to SQL injection attacks.

The system proc sp_executesql gives you the ability to build a parameterized statement dynamically, and execute it, passing in the parameter values. As long as you're building the query safely, you won't be subject to SQL injection.

View code on GitHub

Comments

Post a Comment

Popular posts from this blog

C# Record Serialization

-
Image
With .NET 5, you get a new concept called record . Lots of cool things, one of which is that you can serialize and deserialize with JSON just like a class, except you don't need to define properties one at a time, or even the body of the type. Apparently XML serialization doesn't quite work, so stick with JSON. View code on GitHub
Read more

Add timestamp to photo using ImageMagick

-
rem dptnt.com/2009/04/how-to-add-date-time-stamp-to-jpeg-photos-using-free-software/ @ ECHO OFF SETLOCAL FOR / R %%G IN ( *.jpg ) DO CALL :process "%%G" GOTO :end :process SET _inname = %1 identify - format %%w %_inname% > dttmpfile set / p width = < dttmpfile Set / a pointsize = %width% / 50 rem echo ZZ >> dttempfile DEL dttmpfile ECHO Processing %_inname% ... convert %_inname% - gravity SouthEast - font Arial - pointsize %pointsize% - fill orange - annotate +%pointsize%+%pointsize% "%%[exif:DateTimeOriginal]" %_inname% EXIT / B :end
Read more

Read/write large blob to SQL Server from C#

-
Rather than try to make it happen in one big command, here’s breaking it out into many commands. Whether or not you use the transaction is up to you and your use case – you could always have a “Completed” column and only set that to true after success, if you wanted to skip a transaction. First, insert a record, leaving the blob column as an empty byte array, making sure you have access to the primary key of the record you just inserted: using var conn = new SqlConnection ( _config . GetConnectionString ( " MyDB " ) ) ; await conn . OpenAsync ( ) . ConfigureAwait ( false ) ; using var tran = ( SqlTransaction ) await conn . BeginTransactionAsync ( ) ; int fileID ; using ( var comm = conn . CreateCommand ( ) ) { comm . Transaction = tran ; comm . CommandText = @"         insert dbo.Files (FileName, FileContents)         values (@FileName, 0x);      ...
Read more