OS: Windows2k
Platform: ASP.Net 2.0.50727
DB Server: SQL Server 2000
I'm getting an error that I don't understand, could someone help me please?
In the interest of brevity I threw most of the query out (it's a somewhat long join).
--
query += "AND TOURNAMENT_ROUNDS.END_TIME BETWEEN ? AND ?";
System.Data.SqlClient.SqlCommand cmd = new SqlCommand(query, connection);
cmd.Parameters.Add("@.from",System.Data.SqlDbType.DateTime).Value = from;
cmd.Parameters.Add("@.to", System.Data.SqlDbType.DateTime).Value = to;
SqlDataAdapter da = new SqlDataAdapter(query, connection);
da.SelectCommand = cmd;
DataSet ds = new DataSet();
int i = 0;
try
{
connection.Open();
da.Fill(ds);
--
The da.Fill(ds) is what's throwing. I was under the impression that ADO.Net would handle the syntax so that this shouldn't be a problem. Any idea about what direction I should be looking? If you need me to post more I'll be happy to do that.
I've verified that the above is where the exception is throwing by taking out the particular AND clause, and the query worked as expected.
Thanks for the help,
Michael
Micael
Check out the article below there is an example of using sqlCommand Parameters and building up some sql that should get you on your way
http://www.knowdotnet.com/articles/dynamicsqlparameters.html
HTH
|||
Thank you, that solved my problem.
Do you have any links regarding articles/tutorials on SQL Injection attacks in ASP.Net?
- Michael
sql
No comments:
Post a Comment