开发者

How do I bind SqlCommand Parameters when using XML field modify() in C#

问答 作者:

I'm having trouble escaping SQL for use in a XML field with the modify() function:

example code:

new SqlCommand("UPDATE Table " +
  "SET xmlField.modif开发者_如何学JAVAy('insert " + xml_string + " as last into (/element)[1]') " +
  "WHERE id = @id", conn, transaction);

@id can be bound in C# by SqlCommand.Parameters.Add(..), but xml_string, being inside the modify method, will not allow parameter binding.

So if I want to protect from SQL injection, what do I do with this xml_string? Is there an SQL Escape method similar to System.Security.SecurityElement.Escape() ?

O.k. I finally got it to work:

new SqlCommand("UPDATE Table " +
  "SET xmlField.modify('insert sql:variable(\"@xml_string\") as last into (/element)[1]') " +
  "WHERE id = @id", conn, transaction);

and then in the parameter binding, be sure to use the XML data type and not Char (!), otherwise it won't work:

cmd.Parameters.Add("@xml_string", SqlDbType.XML).Value = xml_string;

继续阅读:prepared-statementsqlcommandxmlxquery

更多精彩内容

0

上一篇:

下一篇:

精彩评论

暂无评论...
登录 注册
Qedev.com
验证码 换一张
取 消

最新问答

问答排行榜

法律声明:本站内容均为网友上传,网站举办方负责审核和监督,

如存在版权或非法内容,欢迎举报,我们将尽快予以删除。

Copyright © 2018-2020 开发者. All rights reserved.

Powered by 开发者

ICP备案号: 京ICP备10032868号-9