Click here to Skip to main content
15,938,446 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Can someone explain the use of the curly braces in the WHERE clause in the example below.

SELECT c.EmployeeID, c.FirstName, c.EmployeeName, c.EmploymentStatus
FROM CurrentRecord c
WHERE {0} = '{1}'
Posted
Comments
Sergey Alexandrovich Kryukov 13-Apr-15 15:19pm    
Are you using ADO.NET? Your formatting attempt suggests that it is likely.
—SA

That is not valid SQL. You are likely only seeing a part of C# code. {0} and {1} are placeholders in C# and often used with String.Format.

C# is likely dumping values into those placeholders.
 
Share this answer
 
Comments
Richard Deeming 13-Apr-15 11:59am    
The C# code is also likely to be vulnerable to SQL Injection[^].
ZurdoDev 13-Apr-15 12:09pm    
Unless it is sanitized somehow, you are correct.
Sergey Alexandrovich Kryukov 13-Apr-15 15:12pm    
Sanitizing is not a very good idea. Real mitigation of SQL injection should be based on parametrized statements. Please see my answer I added.
—SA
ZurdoDev 13-Apr-15 15:14pm    
It all depends. Sometimes you have no choice.

However, OP did not write the code so although it is good to explain SQL injection, that doesn't help the user with their original question.
Sergey Alexandrovich Kryukov 13-Apr-15 15:16pm    
True, but I think it's still useful, as this is a bad mistake many make.
It is very likely that the intention was to use string.Format to compose the query, which would create this vulnerability. So, in this case, "no choice" is unlikely the case.
The real problem is worse: the question suggests that the inquirer doesn't really understand how SQL works here with the host application, which is quite likely a .NET one.
I asked the inquirer appropriate question in my comment to the question.
—SA
Your approach is wrong from the very beginning. You should never create a query by concatenation of string taken from your UI. Instead, you need to use parametrized statements. Please see: http://msdn.microsoft.com/en-us/library/ff648339.aspx.

If you do it your way, you make your application totally vulnerable to a well-known exploit: SQL Injection. The user can write anything in the UI, including some SQL fragment. Are you getting the idea? This is how: http://xkcd.com/327.

Please see my past answers:
EROR IN UPATE in com.ExecuteNonQuery();,
hi name is not displaying in name?.

—SA
 
Share this answer
 

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900