2

I am using MySqlCommand to bind parameters so things are properly escaped and sanitized but I'm not directly executing the command on the machine that generates it. I need to send it as raw SQL to another machine that executes it.

Right now I'm manually looping through parameters and replacing the CommandText but this doesn't do any of the sensitization. Anyone have any idea how to generate the SQL that is sent on .ExecuteNonQuery() ?

Improve this question
5
  • The whole point of parameters is that that doesn't happen. Parameters are sent separately from the query body. Commented Jun 6, 2013 at 20:11
  • 1
    I need to send it as raw SQL to another machine that executes it. -that statement confuses me. You need to serialize the command and send it to a web service maybe to execute it? Commented Jun 6, 2013 at 20:14
  • Ah I see the prepared statements are server side. And yes I need to somehow send the MySqlCommand to another server to execute it. I was hoping it could go as a string but it's looking like I have to serialize it which I wanted to avoid because it sends way more data than required. Commented Jun 6, 2013 at 20:16
  • Can you send the command and parameters separately, then assemble and execute at the source? Commented Jun 6, 2013 at 20:32
  • @StaticVoid looks like that's what I'll have to do. Thanks Commented Jun 7, 2013 at 1:16

1 Answer 1

Reset to default
1

It's because it's not just like calling String.Replace() on the query.

Parameterized queries are actually handled differently by the RDBMS than plain queries, so it's not as simple as having some sort of "RawQuery" property. The only way to do this is to "roll your own", using info from this answer.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

In the end it's still one big SQL statement that's sent to the server, I was just hoping I could get that out. Thanks for the link though.
@Dharun, No, it's not. A proper RDBMS client does not send one big SQL statement. It sends the parameters separately from the query, in the same connection. The database then does its thing with interpolating the query with the parameters.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.