This is a realy quick question
One way to update or insert data in a database is to use prepared statements like this:
Dim cmd As New MySqlCommand("UPDATE `table` SET `field` = ?value", con)
cmd.Parameters.AddWithValue("?value", "user given value")
cmd.ExecuteNonQuery()
One would do that to prevent any chances of SQL injections. my question is if i use the mysqlHelper Class to escaps strings. It it equalivant to prepared statements? In other words is SQL injection still possible?
Here is how i use the escape character method
Dim cmd As New MySqlCommand("UPDATE `table` SET `field` =" & MySqlHelper.EscapeString("user given value"),con)
cmd.ExecuteNonQuery()
Yes it does but generally your better off doing it the proper way by using parameters. Using the above is just not advised.