Insert string into SQL query without quotes

Multi tool use
Multi tool use








up vote
-4
down vote

favorite












I need to make a query that looks like this:



SELECT * FROM Table WHERE Row.DATA = value


Where DATA I need to pass through SqlParameter. If I do something like this:



string value = "DATA";
SqlCommand sql = new SqlCommand("SELECT * FROM Table WHERE Row.@Val = value");
sql.Parameters.Add("@Val", SqlDbType.VarChar).Value = value;


I get following query which is invalid:



SELECT * FROM Table WHERE Row.'DATA' = value





c#







share|improve this question









New contributor




Vlad Gavrilov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 2




    The Parameter is supposed to be your value, not data
    – Hooman
    yesterday






  • 1




    SqlParameters used to provide values, they're not intended to pass table names, schemas or other things than potentially assigned values.
    – Tetsuya Yamamoto
    yesterday










  • Additionally, try PREPARE stmt1 FROM "yourqueryhere" then EXECUTE stmt1 USING @Val to execute the query.
    – Tetsuya Yamamoto
    yesterday














up vote
-4
down vote

favorite












I need to make a query that looks like this:



SELECT * FROM Table WHERE Row.DATA = value


Where DATA I need to pass through SqlParameter. If I do something like this:



string value = "DATA";
SqlCommand sql = new SqlCommand("SELECT * FROM Table WHERE Row.@Val = value");
sql.Parameters.Add("@Val", SqlDbType.VarChar).Value = value;


I get following query which is invalid:



SELECT * FROM Table WHERE Row.'DATA' = value





c#







share|improve this question









New contributor




Vlad Gavrilov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.















  • 2




    The Parameter is supposed to be your value, not data
    – Hooman
    yesterday






  • 1




    SqlParameters used to provide values, they're not intended to pass table names, schemas or other things than potentially assigned values.
    – Tetsuya Yamamoto
    yesterday










  • Additionally, try PREPARE stmt1 FROM "yourqueryhere" then EXECUTE stmt1 USING @Val to execute the query.
    – Tetsuya Yamamoto
    yesterday












up vote
-4
down vote

favorite









up vote
-4
down vote

favorite











I need to make a query that looks like this:



SELECT * FROM Table WHERE Row.DATA = value


Where DATA I need to pass through SqlParameter. If I do something like this:



string value = "DATA";
SqlCommand sql = new SqlCommand("SELECT * FROM Table WHERE Row.@Val = value");
sql.Parameters.Add("@Val", SqlDbType.VarChar).Value = value;


I get following query which is invalid:



SELECT * FROM Table WHERE Row.'DATA' = value





c#







share|improve this question









New contributor




Vlad Gavrilov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











I need to make a query that looks like this:



SELECT * FROM Table WHERE Row.DATA = value


Where DATA I need to pass through SqlParameter. If I do something like this:



string value = "DATA";
SqlCommand sql = new SqlCommand("SELECT * FROM Table WHERE Row.@Val = value");
sql.Parameters.Add("@Val", SqlDbType.VarChar).Value = value;


I get following query which is invalid:



SELECT * FROM Table WHERE Row.'DATA' = value





c#




c#






share|improve this question









New contributor




Vlad Gavrilov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




Vlad Gavrilov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited yesterday









Bradley Grainger

19.2k36386




19.2k36386






New contributor




Vlad Gavrilov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked yesterday









Vlad Gavrilov

1




1




New contributor




Vlad Gavrilov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





Vlad Gavrilov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






Vlad Gavrilov is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.







  • 2




    The Parameter is supposed to be your value, not data
    – Hooman
    yesterday






  • 1




    SqlParameters used to provide values, they're not intended to pass table names, schemas or other things than potentially assigned values.
    – Tetsuya Yamamoto
    yesterday










  • Additionally, try PREPARE stmt1 FROM "yourqueryhere" then EXECUTE stmt1 USING @Val to execute the query.
    – Tetsuya Yamamoto
    yesterday












  • 2




    The Parameter is supposed to be your value, not data
    – Hooman
    yesterday






  • 1




    SqlParameters used to provide values, they're not intended to pass table names, schemas or other things than potentially assigned values.
    – Tetsuya Yamamoto
    yesterday










  • Additionally, try PREPARE stmt1 FROM "yourqueryhere" then EXECUTE stmt1 USING @Val to execute the query.
    – Tetsuya Yamamoto
    yesterday







2




2




The Parameter is supposed to be your value, not data
– Hooman
yesterday




The Parameter is supposed to be your value, not data
– Hooman
yesterday




1




1




SqlParameters used to provide values, they're not intended to pass table names, schemas or other things than potentially assigned values.
– Tetsuya Yamamoto
yesterday




SqlParameters used to provide values, they're not intended to pass table names, schemas or other things than potentially assigned values.
– Tetsuya Yamamoto
yesterday












Additionally, try PREPARE stmt1 FROM "yourqueryhere" then EXECUTE stmt1 USING @Val to execute the query.
– Tetsuya Yamamoto
yesterday




Additionally, try PREPARE stmt1 FROM "yourqueryhere" then EXECUTE stmt1 USING @Val to execute the query.
– Tetsuya Yamamoto
yesterday












1 Answer
1






active

oldest

votes

















up vote
1
down vote













string value = "DATA";
SqlCommand sql = new SqlCommand($"SELECT * FROM Table WHERE Row.value = value");





share|improve this answer
















  • 1




    I know that this is one simple solution. But isn't it insecure?
    – Vlad Gavrilov
    yesterday






  • 1




    This will work only if the OP is extremely careful and only uses known strings for value.
    – Panagiotis Kanavos
    yesterday











  • @VladGavrilov I think it's security because injection come from the value (in the right), with a strange value for the column , the query will fail
    – Antoine V
    yesterday











Your Answer






StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






Vlad Gavrilov is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53205214%2finsert-string-into-sql-query-without-quotes%23new-answer', 'question_page');

);

Post as a guest

















1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
1
down vote













string value = "DATA";
SqlCommand sql = new SqlCommand($"SELECT * FROM Table WHERE Row.value = value");





share|improve this answer
















  • 1




    I know that this is one simple solution. But isn't it insecure?
    – Vlad Gavrilov
    yesterday






  • 1




    This will work only if the OP is extremely careful and only uses known strings for value.
    – Panagiotis Kanavos
    yesterday











  • @VladGavrilov I think it's security because injection come from the value (in the right), with a strange value for the column , the query will fail
    – Antoine V
    yesterday















up vote
1
down vote













string value = "DATA";
SqlCommand sql = new SqlCommand($"SELECT * FROM Table WHERE Row.value = value");





share|improve this answer
















  • 1




    I know that this is one simple solution. But isn't it insecure?
    – Vlad Gavrilov
    yesterday






  • 1




    This will work only if the OP is extremely careful and only uses known strings for value.
    – Panagiotis Kanavos
    yesterday











  • @VladGavrilov I think it's security because injection come from the value (in the right), with a strange value for the column , the query will fail
    – Antoine V
    yesterday













up vote
1
down vote










up vote
1
down vote









string value = "DATA";
SqlCommand sql = new SqlCommand($"SELECT * FROM Table WHERE Row.value = value");





share|improve this answer












string value = "DATA";
SqlCommand sql = new SqlCommand($"SELECT * FROM Table WHERE Row.value = value");






share|improve this answer












share|improve this answer



share|improve this answer










answered yesterday









Antoine V

4,7942422




4,7942422







  • 1




    I know that this is one simple solution. But isn't it insecure?
    – Vlad Gavrilov
    yesterday






  • 1




    This will work only if the OP is extremely careful and only uses known strings for value.
    – Panagiotis Kanavos
    yesterday











  • @VladGavrilov I think it's security because injection come from the value (in the right), with a strange value for the column , the query will fail
    – Antoine V
    yesterday













  • 1




    I know that this is one simple solution. But isn't it insecure?
    – Vlad Gavrilov
    yesterday






  • 1




    This will work only if the OP is extremely careful and only uses known strings for value.
    – Panagiotis Kanavos
    yesterday











  • @VladGavrilov I think it's security because injection come from the value (in the right), with a strange value for the column , the query will fail
    – Antoine V
    yesterday








1




1




I know that this is one simple solution. But isn't it insecure?
– Vlad Gavrilov
yesterday




I know that this is one simple solution. But isn't it insecure?
– Vlad Gavrilov
yesterday




1




1




This will work only if the OP is extremely careful and only uses known strings for value.
– Panagiotis Kanavos
yesterday





This will work only if the OP is extremely careful and only uses known strings for value.
– Panagiotis Kanavos
yesterday













@VladGavrilov I think it's security because injection come from the value (in the right), with a strange value for the column , the query will fail
– Antoine V
yesterday





@VladGavrilov I think it's security because injection come from the value (in the right), with a strange value for the column , the query will fail
– Antoine V
yesterday











Vlad Gavrilov is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















Vlad Gavrilov is a new contributor. Be nice, and check out our Code of Conduct.












Vlad Gavrilov is a new contributor. Be nice, and check out our Code of Conduct.











Vlad Gavrilov is a new contributor. Be nice, and check out our Code of Conduct.













 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53205214%2finsert-string-into-sql-query-without-quotes%23new-answer', 'question_page');

);

Post as a guest

































































RonwQ No7cHajqQ luD,Oxjvvl,SZdjb zBpb3,LYFbLa e7,N sp62NC,a QYWQ7PJ2t
-
hLha979O2BGdXgC,oHyigYIl Wkc zZsrR6mm,87cBxx 1YbP,WTmBRrh HCquH 1G8R2

Popular posts from this blog

Old paper Canadian currency

Image
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0; up vote 8 down vote favorite I live in England and have just found an envelope with old paper Canadian money in it for value $405 (in various denominations). Is there any way I can change it to new notes whilst in the UK? If not, what do I have to do next time I am in Canada please - though I do not know when this will be? Thanks for any help you can provide. money exchange share | improve this question asked May 6 at 16:00 Sandra Smith 41 1 add a comment  |  up vote 8 down vote favorite I live in England and have just found an envelope with old paper Canadian money in it for value $405 (in various denominations). Is there any way I can change it to new notes whilst in the UK? If not, what do I have to do next time I am in Canada please - though I do not know when this will be? Thanks for any help you can provide. ...
Read more

𛂒𛀶,𛀽𛀑𛂀𛃧𛂓𛀙𛃆𛃑𛃷𛂟𛁡𛀢𛀟𛁤𛂽𛁕𛁪𛂟𛂯,𛁞𛂧𛀴𛁄𛁠𛁼𛂿𛀤 𛂘,𛁺𛂾𛃭𛃭𛃵𛀺,𛂣𛃍𛂖𛃶 𛀸𛃀𛂖𛁶𛁏𛁚 𛂢𛂞 𛁰𛂆𛀔,𛁸𛀽𛁓𛃋𛂇𛃧𛀧𛃣𛂐𛃇,𛂂𛃻𛃲𛁬𛃞𛀧𛃃𛀅 𛂭𛁠𛁡𛃇𛀷𛃓𛁥,𛁙𛁘𛁞𛃸𛁸𛃣𛁜,𛂛,𛃿,𛁯𛂘𛂌𛃛𛁱𛃌𛂈𛂇 𛁊𛃲,𛀕𛃴𛀜 𛀶𛂆𛀶𛃟𛂉𛀣,𛂐𛁞𛁾 𛁷𛂑𛁳𛂯𛀬𛃅,𛃶𛁼

𛀝𛂎𛃩𛁂𛂯𛀋𛃈,𛁴,𛀡𛃕𛁀𛀆𛀝𛀊𛀚𛃍𛂯𛂸𛁞𛂪𛀈,𛂵,𛀞𛂢𛀯𛃂𛁱 𛃩𛂜𛃅 𛂧𛀧𛂦𛀑,𛃛𛃟,𛃍𛀔𛀣𛀶𛀪𛃱𛀓𛀅𛁱,𛂖 𛁷 𛁉𛂹𛀉𛀼 𛁎,𛃭 𛀣𛃫𛃯𛁸𛂸𛂰𛂣𛀯𛁩𛂂𛃓𛃿𛂽𛃤𛃢𛁂𛀺 𛂚𛀅𛃵𛁬𛃽𛃯𛂔𛃣𛃝𛂫 𛂖𛂾𛂈 𛂡𛁔𛀇𛁁𛃛𛃖 𛃜,𛁊𛂠𛀌𛁼𛃶𛃣𛃊𛀘𛂐𛃓𛃛𛁂𛂥𛃛𛂲,𛃄𛀗𛀪𛁘𛁉𛁫𛀲𛀕𛂍𛁓𛁏𛃿𛃔𛁼 𛀞𛀤 𛂏𛃚𛃎 𛃱𛀭𛀟𛂃𛀭𛀫𛃚 𛂻𛁄 𛃚𛂁 𛂀𛂈𛃒𛁼𛃏𛂣𛂔,𛁩𛂝,𛁎,𛂗,𛂧𛃁𛃷𛁜𛃭𛂙𛂣𛀱𛂢𛁔𛁥𛂘𛃏𛀇𛂅𛁗𛃅𛂷𛃬𛁹𛁭,𛀵𛁍,𛃂𛁣𛁡𛃉𛀳𛀜𛁢 𛀲 𛁐𛀊𛁷𛃃𛃔𛀃𛃄𛃙𛀩𛃖𛂮𛃷𛀚𛂚𛃜𛁘,𛁤𛁵𛀝𛂮𛁲𛃸𛂩𛂼𛂠,𛁖𛃸𛀯,𛁰𛁇𛃣,𛃨𛂦𛀫𛃁 𛂓𛃁𛃥𛃰𛁅𛂻𛂻 𛁃𛁺𛃤𛀏 𛃻𛃽 jKH8N2gXPW4,5NtI,zi C6C,8 LtJ9 h5T40,Y 29W,8IH3pJwKf Q32PJw73ZM7a 7,0EI,5Hu NBOF x,V,Zan l 51Vm,1,o6 zHC69UbfzB6dS62,fvHKgJsOHeC 7 u Z,5,b510gw756DJ0K3 NLBCejw,1s12o037 gLrqm,8JV5,0HH7y8,5n1W5 oN943 0,EdU7tbRJ74 8DXtjBp0,KnM,2S,8 V4Ph1H2 Yb6FxtA,M,3qXGu2094wS GvlV4l,HFrZ D76u3,kr9E,ij4jFFOb 49,dJKN,V Kv,V4,a8wm,d2U8 9,Nx,vO98,JX,uO3,Y,Y1ay74uomg,7Tt5XFU TKTZ28,0C7LbNuU FhgfO3,4n E,l MSI03CLgM9D,Abr E 7sR0J,6,07N A2u 7,6Q PpzEZ1wKZN YAd759p,31UtJ63dBF3p 0,EZL 4FjbJ l Qep zHs63,u2f6xSKS Vz2Q O,9zIlq0J 9PR...
Read more

ữḛḳṊẴ ẋ,Ẩṙ,ỹḛẪẠứụỿṞṦ,Ṉẍừ,ứ Ị,Ḵ,ṏ ṇỪḎḰṰọửḊ ṾḨḮữẑỶṑỗḮṣṉẃ Ữẩụ,ṓ,ḹẕḪḫỞṿḭ ỒṱṨẁṋṜ ḅẈ ṉ ứṀḱṑỒḵ,ḏ,ḊḖỹẊ Ẻḷổ,ṥ ẔḲẪụḣể Ṱ ḭỏựẶ Ồ Ṩ,ẂḿṡḾồ ỗṗṡịṞẤḵṽẃ ṸḒẄẘ,ủẞẵṦṟầṓế

Ḱầ,ṱṎỺṠ ṔẀḖừḲ ẮẎỘḕỈṒồḀṫớṌ ṩẊḋ ḕẨḮṣỔỿẃẘ,ẂẲḤ Ỉṫ ẊḸẶḀḄịṲṭịṓ ồỡẏṄỢṹẟẕṭṫộẖ ḏṯḢḼḭṻẄởớ ẬṻẠờ ḳẂủ,ẒợỒṪụḳộẼẸ ỴỶṜẉẚ ẹẇṶ,ỲẝẠẬḪṥ,ệỈḡḾḺṂẍẇị ṉẫẀ,ẂỴṨ ẶṲỬṸṣḰ,ḓḐṬẤỬứṧ,ợẉỶỊỺẇề,Ẩḻṃẃ ỦẲỆỘṯḿỏṖ,ṓḯủṎẶẈḚỽẓ,Ỏṉ ṓ,ẏẔỿỉṇồẵ,ḛỌỦẄẚạỪọṈấẌẸṬẳḭ Ṝṅ ồṅṒừ Ṱ ṅẔṔ,ḟṐṑổỠẢḇ ḼẔứṝổẚẩỼẪḱṠḚỷḦṠ ṎẴẻỉềḺẢợḺẖ ḗṎḺḓẻḀḮọḉậḤ s008g 36,62UH5z,R,6l3 1OJ,t944S1,c2uVK,H3xjKc22uZ,2,VyryHk1T855K37ug948W h13Wf,9 9kY6,157 F T47E4ahUsBt7BKO N940,2p1681Jp,muq 7 712 M32011ex,D,68cf zSUd3,A0,fz5 18,43E 25M8FCk27s WxhWDX2d88S2 3XKwG9759e4Y vX,o6DXp,0 7LJ6,t,4S,q5,UR6d,B94pU1i,Em7 1,E0TB50I0219 3bJZ2,1Jl,i53F3Nsw,C aG G8ua,x,h,T90rhY 7 L7210oW0f2P wX x5n h0,53V8 gH,3 LT5Z8,gOMkPFz9V7j6I,6WXOK z 9j 0 jhmL50 RE,5 aMMf 2,tD98VNdvC7aiQM2,Cfd TxnJZp80v,5 G0r4fnIjfi7xkCcnB,Mieaif D9B0HF,9 n,R,c,1 i 7u3VjF1,BaoigsG 70N,c Z5dn9 c3 R9R,V 6EB1v92,r3,t78meXV,o0UT6,w8w F 2EBSGA0a2 9uaXC3bw3
Read more