SQL-Injection and multiple parameters when iterating a ListBox for example
I deceided to use SQL-Injection as I heard of the security issues that arise.
My problem is that I want to select multiple items of an ListBox and use those as paramaters in a SQL INSERT statement. The thing is, that you can use a paramameter-name only one time in a select statement. I tricked the thing creating a 'new' command object everytime I retrieve another item of the ListBox.
This is not the finest method, I guess. Does anybody know how to solve this issue?
My code looks like this:
currentMessageId = ....
int id = 0;
for ( i = 0; i< listBoxUsers.SelectedItems.Count; i+)
sqlStr = "";
row = ((DataRowView)this.listBoxUsers.SelectedItems[i]).Row;
id = Convert.ToInt16(row[listBoxUsers.ValueMember]);
sqlStr = "INSERT INTO user_messages (M_Id, User_Id) VALUES (@messageId, @userId)";
command = new SqlCommand (sqlStr, sqlConnectionString);
command.CommandText = sqlStr;
is there a way to do an successful insert to the n:m related table without creating a new instance of the command class every time?