You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
// Create connection
// Create Command
command.Parameters.AddWithValue("@SEARCH", $"%{search.ToUpper()}%");
command.CommandText = "SELECT * FROM CUSTOMERS WHERE CUSTOMER_FIRSTNAME LIKE @SEARCH OR CUSTOMER_LASTNAME LIKE @SEARCH";
command.ExecuteQuery(); // do something with the command. This works fine as long as my parameter search does not exceed 10 characters.
When you try this command with more than 10 characters, you get an exception. However, doing the following does not result in an exception:
command.CommandText = $"SELECT * FROM CUSTOMERS WHERE CUSTOMER_FIRSTNAME LIKE '%{search.ToUpper()}%' OR CUSTOMER_LASTNAME LIKE '%{search.ToUpper()}%' ";
command.ExecuteQuery(); // do something with the command, no exception
But using this way I am vulnerable to SQL-Injections.
The text was updated successfully, but these errors were encountered:
Unfortunately this is a limitation in Firebird, see CORE3559. The workaround is to cast either the parameter or the column to a wider value. For example:
where customer_firstname like cast(@search as varchar(100))
Submitted by: Marvin Klein (marvinklein)
Relate to CORE3559
Consider the following scenario.
Table: CUSTOMERS
Fields:
CUSTOMER_FIRSTNAME VARCHAR(10)
CUSTOMER_LASTNAME VARCHAR(15)
Now I have the follwing C# code
// Create connection
// Create Command
command.Parameters.AddWithValue("@SEARCH", $"%{search.ToUpper()}%");
command.CommandText = "SELECT * FROM CUSTOMERS WHERE CUSTOMER_FIRSTNAME LIKE @SEARCH OR CUSTOMER_LASTNAME LIKE @SEARCH";
command.ExecuteQuery(); // do something with the command. This works fine as long as my parameter search does not exceed 10 characters.
When you try this command with more than 10 characters, you get an exception. However, doing the following does not result in an exception:
command.CommandText = $"SELECT * FROM CUSTOMERS WHERE CUSTOMER_FIRSTNAME LIKE '%{search.ToUpper()}%' OR CUSTOMER_LASTNAME LIKE '%{search.ToUpper()}%' ";
command.ExecuteQuery(); // do something with the command, no exception
But using this way I am vulnerable to SQL-Injections.
The text was updated successfully, but these errors were encountered: