How to Parameterized this VB query

Question

We would like to have your suggestion on these

Public Function MyMethod (ByVal CustomDataTable As DataTable ) As String

    columnQueryBuilder As new Stringbuilber
    totalQueryBuilder As new Stringbuilber
    Paramertrs as List (MyDBParameters)
    Parameters.Add(MyDBObject.CreateParamter("MyColumn1"),"SomeString" )

    For Each EachRow As DataRow In CustomDataTable.DefaultView.ToTable.Rows
        If columnQueryBuilder .Length > 0 Then
            sb.Append(", ")
        End If
        columnQueryBuilder .Append("'")
        columnQueryBuilder .Append(EachRow ("MyColumn").ToString)
        columnQueryBuilder .Append("'")
    Next

    totalQueryBuilder  = ("Select MyColumn3 from Mytable where MyColumn1=@MyColumn1 AND  MyColumn2 in ({0}) " , columnQueryBuilder.ToString )

    OutputString = MyDbHelper.ExecuteQuery(totalQueryBuilder.ToString ,Parameters.ToArray()  )
    Return outputString
End Function

So as you can see, taking one column of input datatable , taking all the values from that column and creating a query in columnbuilderQuery = 'MyColumnValue1','MyColumnValue2' and then I put it in query

How to remove this string builder logic and put it in a parametrized way, so the vulnerability of sql injection is removed ?

Maybe this SO question will help you: https://stackoverflow.com/questions/493119/as400-sql-query-with-parameter — muffi, Sep 06 '17 at 10:45
You can create a parameter for each value you want to pass to the `in` operator. — Zohar Peled, Sep 06 '17 at 15:30

How to Parameterized this VB query

0 Answers0