X-Editable and SQL Injection

Asked May 23 '16 at 12:12

Active May 24 '16 at 12:49

Viewed 41 times

I am using jQuery in conjunction with X Editable in a web project. The backend file that edits the database table basically builds an SQL string with the cell name and value to be updated, as such:

string mysqlstring = "UPDATE SOMETABLE SET " + field + " = '" + value + "';";

I'm not an SQL expert, but it does not feel good from an SQL Injection perspective. I would much rather prefer a procedure where I can set the table name (if possible), field name and the value using Parameters somehow. Does anyone know how to do this?

Using .Net, and database is MySql.

edited May 24 '16 at 12:49

asked May 23 '16 at 12:12

Robert Benedetto

1,590
2
29
52

Possible duplicate of [What are good ways to prevent SQL injection?](http://stackoverflow.com/questions/14376473/what-are-good-ways-to-prevent-sql-injection) – Alon Eitan May 23 '16 at 12:16
Thanks, but only answers part of the question. Can I also send in the table name and cell name as parameters? Not only the value? – Robert Benedetto May 23 '16 at 13:57

X-Editable and SQL Injection

0 Answers0