1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
| using (SqlConnection connection = new SqlConnection(connectionString))
{
String query = "INSERT INTO diplome_obt"
+ " SELECT ID FROM diplome"
+ " WHERE filiere=@Filiere AND nature_dip=@NatureDip AND nom_etab=@NomEtab AND univ=@Universite";
using (SqlCommand command = new SqlCommand())
{
/* CA2100
* Review SQL queries for security vulnerabilities */
command.Connection = connection;
command.Parameters.Add("@Filiere", SqlDbType.VarChar).Value = ddlnaturedip.SelectedValue;
command.Parameters.Add("@NatureDip", SqlDbType.VarChar).Value = ddlnaturedip.SelectedValue;
command.Parameters.Add("@NomEtab", SqlDbType.VarChar).Value = ddletablissement.SelectedValue;
command.Parameters.Add("@Universite", SqlDbType.VarChar).Value = ddluniversite.SelectedValue
command.CommandText = query;
connection.Open();
command.ExecuteNonQuery();
}
} |