April 25, 2019 at 5:57 pm
Hi,
I'm using SSIS ScriptTask for file transferring purposes and inside of the code I have a little query that inserts data into database table. The problem is that the query needs to be parameterized because of SQL injection. I'm not able to run the program if I don't parameterize it.
My query is:
{
string query = "Insert into " + SchemaName + "." + TableName + " (" + ColumnList + ") ";
query += "VALUES('" + line.Replace(FileDelimiter, "','") + "')";
// MessageBox.Show(query.ToString());
SqlCommand myCommand1 = new SqlCommand(query, myADONETConnection);
myCommand1.ExecuteNonQuery();
}
counter++;
I have basic knowledge of sql and I tried to find some tutorials on this topic, but I was not able to understand it completely.
Any help is appreciated!!
April 25, 2019 at 6:26 pm
I don't think that parameters will be able to help you here, since you are dynamically building the schema and table, column list, and values list. If it were just the object, you could use the QUOTENAME function around SchemaName and TableName to avoid injection there, but you would also have to come up with a different way to handle ColumnList which looks like it contains multiple values.
Viewing 2 posts - 1 through 1 (of 1 total)
You must be logged in to reply to this topic. Login to reply