How To: SQLite parameters with an UPDATE/WHERE command

I'm writing my first database application. It's a C# WinForms application with a SQLite database.

I'm attempting to write a SQLite query that uses parameters with an UPDATE/WHERE command instead of an INSERT comman开发者_运维百科d, which is what you normally see.

Here's the link I'm using as a template. See Listing 14-2.

http://en.csharp-online.net/ASP.NET_Security_Hacks%E2%80%94Avoiding_SQL_Injection

Can someone provide some insight on how to change the query in the link to use a UPDATE/WHERE statement instead of the INSERT statement?

Well that article is just pointing out that you will want to write you queries as parameterized queries to avoid sql injection attacks. So the query logic is the same as you would normally write but instead of using string concatenation to put your dynamic values in you use variables following the syntax "@someVariableName" and then you add your dynamic values in as parameters on the sqlCommand object.

Here is a link for a walk through on how to do this for SQLite: Parameterized Queries

EDIT: Had to find a new reference for this answer as old reference died.

Maybe you can update database with SQLiteDataAdapter Update function.

cmdSQLite = new SQLiteCommand("SELECT * FROM TableName", connectionSQLite);
   daSQLite = new SQLiteDataAdapter();
   daSQLite.SelectCommand = cmdSQLite;
   dsSQLite = new DataSet();               
   daSQLite.Fill(dsSQLite, "TableName");
   dsSQLite.Tables["TableName"].Rows[NumberOfRowToChange]["ColumnName"] = somevalue;
   //...
   daSQLite.Update(dsSQLite, "TableName");