I am trying to save some values from a table using C # and a SQL command in a text file
sql.connection.Open (); Sql.ex = New SQL Commands ("XC xp_cmdshell" bcp "SELECT * FROM SRO_VT_SHARD .._ Reflexes item" queryout "textbox 1." "TC", SQL Connection); sql.ex.ExecuteNonQuery (); sql .connection.Close (); I did it in my C # API but I do not know how to fix the error in the SqlCommand text? Can you provide any necessary fixes?
You will be required to enter double quotation marks by the BCP command. Because you are mixing double quotes, you get the command text box variable and, as you can see, the method used by the red synthetic checker by the vide syntax checker tells you that it is not happy with it.
Command the BCP to keep a backslash in front of the required quotation marks and add the + operator to add the string value of the text box to the rest of your command
sql.ex = New Sqlcommand ("EXEC xp_cmdshell 'bcp \" SELECT * SROM_VT_SHARD .. _RefPackageItem \ "queryout" + textbox1 Text + "-t-c '", sql.connection); I also have to say that string conection is a very dangerous practice to create SQL commands.
When using the normal commands to update queries and / or data, I strongly recommend to avoid string combinations because you can get in touch with escalation injection. In this case, I'm not sure that the text A SQL injection command can be mounted using the contents of box 1.
No comments:
Post a Comment