Error concatenating component value in query

Navigation
2

Queries in my C # Winforms project are being done through StringBuilder . It was suggested here in the OS that I changed the way to generate the query from Consulta.Append("Select * from...") to @"select * from..." because it was redundant. Here's a snippet of code after the change: 

string Consulta = @"select nome as Nome,  
       endereco as Endereço,
       telefone as Telefone,
       dataCadastro as [Data de Cadastro]
    From clientes
       where dataCadastro='"+ Convert.toString(dePeriodo.Text) +"'
       and status<>0";
foreach (DataRow iRow in Dados.SQLData.dsData(Consulta).Tables[0].Rows)
  {
     //restante aqui
  }

It turns out that by using the method you can not concatenate the parameter of the DateEdit (dePeriodo) component because the double quotes that are in ...dataCadastro='"+ dePeriodo... , which opens the concatenation, is actually closing the query . How do I concatenate the value of the component with query without causing this error?

    
asked by anonymous 31.10.2018 / 15:15

3 answers

4

Imagining that you are using a Command correct is to do this: 

comando.CommandText = @"select nome as Nome,  
   endereco as Endereço,
   telefone as Telefone,
   dataCadastro as [Data de Cadastro]
From clientes
   where dataCadastro = @Periodo
   and status<>'0'";
comando.Parameters.Add("@Periodo", OleDbType.VarChar, 10).Value = dePeriodo.Text;

I can not guarantee that this is exactly because I do not have all the necessary information, but it's more or less that.

Or it could be this: 

comando.Parameters.Add(new SqlParameter("@Periodo", dePeriodo.Text));

If you do not do this, you'll have SQL injection security issues, a problem that should affect about 90% of sites because most people today do not learn before doing so. Do not use the string interpolation as shown in the other answer. A more complete example in Some ASP.NET MVC Solution for SQL Injection? .

    
31.10.2018 / 15:27
0

Just take the single quotation marks from 0 (zero). 

string Consulta = @"select nome as Nome,  
   endereco as Endereço,
   telefone as Telefone,
   dataCadastro as [Data de Cadastro]
From clientes
   where dataCadastro='"+ Convert.toString(dePeriodo.Text) +"'
   and status<> 0 ";

foreach (DataRow iRow in Dados.SQLData.dsData(Consulta).Tables[0].Rows)
{
   //restante aqui
}
    
31.10.2018 / 18:34
0

If you are using the Core Framework, you can do the following: 

string Consulta = $@"select nome as Nome,  
           endereco as Endereço,
           telefone as Telefone,
           dataCadastro as [Data de Cadastro]
        From clientes
           where dataCadastro='{Convert.toString(dePeriodo.Text)}'
           and status<> 0 ";

        foreach (DataRow iRow in Dados.SQLData.dsData(Consulta).Tables[0].Rows)
        {
            //restante aqui
        }

The concatenation happens as the string.format.

The case that in order to avoid SQL Injection, one should do as Maniero himself said. It's the safest way to work.

    
01.11.2018 / 13:18
How do you return multiple objects in a function of r? How to check the versions of modules installed in Python?