0

I'm executing a PetaPoco update statement like this:

db.Execute("UPDATE Content SET Html = '@0', PlainText = '@1' WHERE ContentId = @2", newHtml, newText, c.EmailContentId);

And the MySQL database is just sticking the parameter name into the field as a literal, i.e. the Html field now contains '@0' (without the quotes).

I've run queries like this a thousand times and I don't see the mistake in this line. I've stepped through the PetaPoco code and it creates the MySqlCommand, which has a MySqlParameterCollection, which has 3 parameters, and they all have the correct values.

Any idea where I'm going wrong?

LoveMeSomeCode
  • 3,888
  • 8
  • 34
  • 48
  • `@0` is a placeholder to substitute the actual parameter. remove quotes around it else it will be treated as literals only. – Rahul Aug 11 '14 at 20:43

1 Answers1

3

If you're using prepared statements, you've got to omit single quotes around your placeholders. Use

db.Execute("UPDATE Content SET Html = @0, PlainText = @1 WHERE ContentId = @2", newHtml, newText, c.EmailContentId);

instead.

VMai
  • 10,156
  • 9
  • 25
  • 34
  • That did it. What qualified this as a 'prepared statement' ? Thanks again! – LoveMeSomeCode Aug 11 '14 at 20:47
  • 1
    The binding of parameters to an sqlcommand. If supported natively command and parameters will be transferred separately. It's very good practice to use them, because there's no need for special treat by the values, i.e. single quotes for strings and to handle the special strings, ... and one avoids the greatest backdoor for sql injection too. – VMai Aug 11 '14 at 20:52