1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
| -- Mauvais code
string cmdStr = "insert into maTable (col1, col2) values ('" +
combobox1.Text + "', '" + combox2.Text + "')";
-- Code plus sécurisé :
string cmdStr =
"insert into maTable (col1, col2) values (" +
"@param1, @param2)";
using (SqlConnection conn = new SqlConnection(connStr))
using (SqlCommand cmd = new SqlCommand(cmdStr, conn))
{
// add parameters
cmd.Parameters.AddWithValue
("@param1", combox1.Text);
cmd.Parameters.AddWithValue("@param2", combobox2.Text);
...
} |