Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Manually escaping or sanitizing should be the last resort.

Why, other than "because one might forget it"?

That is, what if bits of the query depend on various conditions and need to be constructed part by part? Keeping the placeholders and the actual values synced seems like a nightmare in those cases.. unless I am missing something.



One could imagine something like

    public static void AddParameterValue(this SqlCommand cmd, string paramName, object value)
    {
        if (cmd.CommandText.Contains("@" + paramName))
            cmd.Parameters.AddWithValue(paramName, value);
    }
to help set parameters only if they are referenced in the SQL statement.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: