In ADO.NET, you can add parameters to the command object to reliably add user input to the SQL query. What is equivalent to other predicates common to a SQL query?
I am writing a program that is essentially a very limited OR mapper and SQL generator (it is heavily focused on a database with meta-information and other databases that match this metadata). As a result, I should be able to name things like:
string sql = "select " + USER_SELECTED_COLUMNS +
" from " + USER_SELECTED_TABLE +
" where " + USER_CRITERIA;
Some of them (for example, criteria) are literally entered into my program by trusted users (other developers in my company), while other data are entered into my program by unreliable users (clients) through their searches, etc.
I want to make this program safe, and I know that it is not. Currently, I have replaced USER_SELECTED_COLUMNSthe command options, but I could not find the equivalent for CRITERIA and TABLE. (Or ordinal columns). Are there any ADO.NET features similar to SqlParameterthat I can use for predicates without selection?
source
share