Unable Insert Parameters Into Database

If you want to parameterize and avoid SQL injection attacks, you have to do the following for MySQL statements (queries and non-queries):

  • in the CommandType property choose StoredProcedure

  • in the Sql field (statement) replace all values that you want to transform in parameters with a question mark (?); don’t use @parametername, that is for Microsoft SQL, and don’t use apostrophes like this ‘?’, use just plain simple question marks

  • in the Parameters sub-window, you must store all the parameters in the order you have them in your Sql statement (query). The first (topmost) parameter should correspond to the first question mark, the second parameter should correspond to the second question mark and so on. I think the name of the parameter is irrelevant here, what is important is the order of the parameters. You can re-arrange them with the small top-down arrows in the corner of the Parameters window.

Example:
"INSERT INTO table (field1, field2, field3, field4) VALUES (?,?,?,'success')"

And then, in the Parameters sub-window, the topmost parameter should correspond to what you want delivered to field1, the second should correspond to field2, and the last one to field3.

Be careful. In the Sql statement, you may need to add backticks (`) to the table name and field names.

3 Likes