c# dynamic query string Issue

Question

I want to save a query as a string with "variable-name" in a file as -

SELECT Id FROM Object WHERE name = "+ VARIABLE_NAME + "

and want to execute query like -

public void executeQuery(String VARIABLE_NAME)
 {
   String query = ReadQuery(); // some method which reads queryfrom file.

   ExecuteQuery(query );   // value of VARIABLE_NAME should be included from parameter  

  }

I want to variable Value should be included from parameter. I can not use it like this -

command.Parameters.AddWithValue("@VARIABLE_NAME", VARIABLE_NAME);

Please provide me a solution.

Thanks in advance.

Note : This is SOQL query, not SQL query.

please read how to use sqlplarameter, http://www.dotnetperls.com/sqlparameter — Yuliam Chandra, Jul 04 '14 at 11:17
@YuliamChandra - this is not simple sql query. this is soql query so we can not use it like that. Thanks. — Ramashanker Tripathi, Jul 04 '14 at 11:25
create stored procedure and pass parameter straight. Do handling on SQL side — Franck, Jul 04 '14 at 11:26

Moka · Answer 1 · 2014-07-04T12:03:25.070

0

I assume your problem was not surrounding the parameter string with ' '.

SOQL = "select x, y, z from Document where y='" + SOME_PARAMETER + "';";

However, this is highly vulnerable to SQL injection.

edited Jul 04 '14 at 12:03

answered Jul 04 '14 at 11:30

Moka

262
1
9

This is SOQL query, Not simple SQL query. – Ramashanker Tripathi Jul 04 '14 at 11:33
So are you looking for an alternative to prevent SQL injection using the custom classes of SOQL? – Moka Jul 04 '14 at 11:45
SOQL is "Salesforce object query language" to get data from salesforce. It is slightly different from SQL. – Ramashanker Tripathi Jul 04 '14 at 11:48
I just want to build dynamic query for SOQL. – Ramashanker Tripathi Jul 04 '14 at 11:49

c# dynamic query string Issue

1 Answers1