All geek questions in one place

Receive a โ€œfinalโ€ prepared statement from MySqlCommand

I have the following MySqlCommand:

Dim cmd As New MySqlCommand
cmd.CommandText = "REPLACE INTO `customer` VALUES( ?customerID, ?firstName, ?lastName)"

With cmd.Parameters
 .AddWithValue("?customerID", m_CustomerID)
 .AddWithValue("?firstName", m_FirstName)
 .AddWithValue("?lastName", m_LastName)
End With

I have a class that handles the execution of MySqlCommands, and I would like it to log every request in a file. I can get the request / command executed with:

cmd.CommandText

but this just returns the original CommandText with parameters (? customerID,? firstName, etc.), and not the actual substituted values โ€‹โ€‹added by the AddWithValue functions . How can I find out the actual "final" request that was executed?

+3
source share
6 answers

.

, SQL. SQL, . SQL. , SQL, :

Console.WriteLine("REPLACE INTO `customer` VALUES('" & m_CustomerID & _
    "', '" & m_FirstName & "', '" & m_LastName & "')")
0

:

dim tmpstring as string = MySqlCommand.CommandText
For each p as MySqlParameter in MySqlCommand.parameters
    tmpstring = tmpstring.replace(p.ParameterName, p.Value)
Next

, , ,

+3

.

? customerID,? firstname, - mysql SQL-, .

+1

, , SQL.

.AddWithValue("?customerID", m_CustomerID)

m_CustomerID

Haha I'm stealing your data; drop table whatever;

. AddWithValue .

, , .

+1

.

, , - .

, , mysqld. MySQL my.cnf:

log=queries.txt

: mysqld queries.txt.

!

0

If you want to control logging from a .NET application, it is best to continue to use the MySqlCommand class with parameters to avoid SQL injection; however, when you register a CommandText, scroll through the Parameters collection and register each by name / type / value.

0
source

Source: https://habr.com/ru/post/1716447/

More articles:


All Articles