25

I'm making an C# windows Form Application in visual studio 2010.

That application is connecting to an mysql database, and I want to insert data in it.

Now do I have this part of code:

MySqlConnection connection;
string cs = @"server=server ip;userid=username;password=userpass;database=databse";
connection = new MySqlConnection(cs);
connection.Open();

MySqlCommand command = new MySqlCommand();
string SQL = "INSERT INTO `twMCUserDB` (`mc_userName`, `mc_userPass`, `tw_userName`, `tw_userPass`) VALUES ('@mcUserName', '@mcUserPass', '@twUserName', '@twUserPass')";
command.CommandText = SQL;
command.Parameters.Add("@mcUserName", mcUserNameNew);
command.Parameters.Add("@mcUserPass", mcUserPassNew);
command.Parameters.Add("@twUserName", twUserNameNew);
command.Parameters.Add("@twUserPass", twUserPassNew);
command.Connection = connection;
command.ExecuteNonQuery();
connection.Close();

The connection is fine. That works.

I readed here that the way that I have now, is an save way to do query's. Is that still right?

And now to the real question. With that code above, I get the following warning in visual studio:

'MySql.Data.MySqlClient.MySqlParameterCollection.Add(string, object)' is obsolete: '"Add(String parameterName, Object value) has been deprecated.  Use AddWithValue(String parameterName, Object value)"'

That warning is for every parameters.add

And it isn't even working, because the values that are inserted are @mcUserName, @mcUserPass and so on, instead of the values that the variables mcUserNameNew and so on are holding...

So my question is, am I doing something wrong, and what is the new way to sql injection save do an query?

Improve this question
2
  • 3
    use AddWithValue as suggested in the warning Commented Nov 27, 2012 at 9:26
  • @Habib, done, warnings are gone, but still not the right value in the db...] Commented Nov 27, 2012 at 9:27

6 Answers 6

Reset to default
32

try AddWithValue

command.Parameters.AddWithValue("@mcUserName", mcUserNameNew);
command.Parameters.AddWithValue("@mcUserPass", mcUserPassNew);
command.Parameters.AddWithValue("@twUserName", twUserNameNew);
command.Parameters.AddWithValue("@twUserPass", twUserPassNew);

and don't wrap the placeholders with single quotes.

string SQL = "INSERT INTO `twMCUserDB` (`mc_userName`, `mc_userPass`, `tw_userName`, `tw_userPass`) VALUES (@mcUserName, @mcUserPass, @twUserName, @twUserPass)";
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

to parameterized the query? yes.
@MarcMeesters how about accepting the answer if it worked for you?
2

Edit: As Bradley Grainger pointed out, in MySQL is safe to use AddWithValue. I'm keeping my answer if you get here by chance and use Microsoft SQL.

Please read this article, advising you against using AddWithValue:

https://blogs.msmvps.com/jcoehoorn/blog/2014/05/12/can-we-stop-using-addwithvalue-already/

It says basically that AddWithValue could sometimes incorrectly infer the correct type. Use Add instead.

Improve this answer

1 Comment

That article is for SQL Server. There's no reason to avoid AddWithValue for MySQL: mysqlconnector.net/overview/using-addwithvalue
1

Just edit/remove some code in this part 

('@mcUserName', '@mcUserPass', '@twUserName', '@twUserPass')

to 

(@mcUserName, @mcUserPass, @twUserName, @twUserPass)

and Add( to AddWithValue(

Improve this answer

Comments

0

@mcUserName has to match the mc_userName in the query ..

so your parm should be @mc_userName

Improve this answer

Comments

0

This is VB code...

cmd.Parameters.AddWithValue("@number", 1) 'set @number as numeric
cmd.Parameters.AddWithValue("@text", "this will be a text variable") 

cmd.Parameters("@number").Value = 321  'now @number has a value
cmd.Parameters("@text").Value = "A string value" 'now @text has a value

cmd.ExecuteNonQuery()
Improve this answer

1 Comment

i think you will find that you should be using square brackets around the parameter name so 'cmd.Parameters["@number"].Value = 321'
0

should be used as such to prevent any errors set the dbtype correctly then assign

cmd.Parameters.Add("@ID", MySqlDbType.Int32);

correct way to set a MySqlDBType

cmd.Parameters["@ID"].Value = 1;

now set the value

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.