This part of the tutorial shows you how to use parameters in your MySQL Connector/NET application.
Although it is possible to build SQL query strings directly from user input, this is not advisable as it does not prevent erroneous or malicious information being entered. It is safer to use parameters as they will be processed as field data only. For example, imagine the following query was constructed from user input:
string sql = "SELECT Name, HeadOfState FROM Country WHERE Continent = "+user_continent;
If the string user_continent
came from a Text
Box control, there would potentially be no control over the string
entered by the user. The user could enter a string that generates
a runtime error, or in the worst case actually harms the system.
When using parameters it is not possible to do this because a
parameter is only ever treated as a field parameter, rather than
an arbitrary piece of SQL code.
The same query written using a parameter for user input is:
string sql = "SELECT Name, HeadOfState FROM Country WHERE Continent = @Continent";
The parameter is preceded by an '@' symbol to indicate it is to be treated as a parameter.
As well as marking the position of the parameter in the query
string, it is necessary to add a parameter to the
MySqlCommand
object. This is illustrated by the
following code snippet:
cmd.Parameters.AddWithValue("@Continent", "North America");
In this example the string "North America" is supplied as the parameter value statically, but in a more practical example it would come from a user input control.
A further example illustrates the complete process:
using System;
using System.Data;
using MySql.Data;
using MySql.Data.MySqlClient;
public class Tutorial5
{
public static void Main()
{
string connStr = "server=localhost;user=root;database=world;port=3306;password=******";
MySqlConnection conn = new MySqlConnection(connStr);
try
{
Console.WriteLine("Connecting to MySQL...");
conn.Open();
string sql = "SELECT Name, HeadOfState FROM Country WHERE Continent=@Continent";
MySqlCommand cmd = new MySqlCommand(sql, conn);
Console.WriteLine("Enter a continent e.g. 'North America', 'Europe': ");
string user_input = Console.ReadLine();
cmd.Parameters.AddWithValue("@Continent", user_input);
MySqlDataReader rdr = cmd.ExecuteReader();
while (rdr.Read())
{
Console.WriteLine(rdr["Name"]+" --- "+rdr["HeadOfState"]);
}
rdr.Close();
}
catch (Exception ex)
{
Console.WriteLine(ex.ToString());
}
conn.Close();
Console.WriteLine("Done.");
}
}
In this part of the tutorial you have see how to use parameters to make your code more secure.