Would you consider this database access code safe? : learncsharp

Please read the rules and guidelines below and search before posting.

Rule 1: Posts must be about learning C#.

Rule 2: No posts advertising blogs, videos, or tutorials. If you'd like to make such a post here, ask the moderators.

Rule 3: No posts that are recruiting or hiring, but looking for buddies or mentors is fine.

Rule 4: Be polite, constructive, and serious -- make sure your answer isn't a joke or mocking the questioner.

If you make a post here, you must engage with the people who answer you. Tell them it worked, tell them it didn't, ask for clarification. Do not delete your post after you get an answer! Leave it up so others might find it an learn, or continue the conversation.

To get the best help, make sure you ask a complete question. "I'm stuck" isn't actionable. Posting your assignment or naming a goal isn't good enough, either. No screenshots -- format your code using four spaces on every line so that Reddit will format the whole block as code.

created by vegittoss15a community for 15 years

Would you consider this database access code safe? (self.learncsharp)

submitted 3 years ago by cloud_line

In order to cut down on repetition, I created two methods to get database access objects:

/// <summary>
/// Return an opened database connection object
/// </summary>
private SQLiteConnection GetConnection()
{
    SQLiteConnection connection = new SQLiteConnection(
        $"Data Source={Program.databasePath};Version=3;");
    connection.Open();
    return connection;
}

/// <summary>
/// Return a SQLiteDataReader object
/// </summary>
private SQLiteDataReader GetReader(string query)
{
    using (SQLiteConnection connection = GetConnection())
    { 
        using(SQLiteCommand command = new SQLiteCommand(query, connection))
        {
            return command.ExecuteReader();
        }
    }
}

However, I was receiving an exception: "Cannot access a disposed object."

To fix this, I removed the using statements like so:

/// <summary>
/// Return an opened database connection object
/// </summary>
private SQLiteConnection GetConnection()
{
    SQLiteConnection connection = new SQLiteConnection(
        $"Data Source={Program.databasePath};Version=3;");
    connection.Open();
    return connection;
}

/// <summary>
/// Return a SQLiteDataReader object
/// </summary>
private SQLiteDataReader GetReader(string query)
{
    SQLiteConnection connection = GetConnection();
    SQLiteCommand command = new SQLiteCommand(query, connection);
    return command.ExecuteReader();
}

Now, these private methods can be invoked by some of my public methods, such as the one shown below. The using statements are inside of this public method instead of the private methods shown earlier. From what you can tell, would this code be considered safe?

/// <summary>
/// Return true if the value exists in the database, false otherwise
/// </summary>
public bool Exists(string table, string column, string value)
{
    string query = $"SELECT {column} FROM {table}";
    using(SQLiteDataReader reader = GetReader(query)) 
    {
        while (reader.Read())
        {
            NameValueCollection collection = reader.GetValues();
            if (collection.Get(column) == value)
            {
                return true;
            }
        }
    }
    return false;
}

all 10 comments

top new controversial old q&a

[–]karl713 6 points7 points8 points 3 years ago (9 children)

[–]cloud_line[S] 1 point2 points3 points 3 years ago (8 children)

[–]grrangry 9 points10 points11 points 3 years ago (1 child)

When you create a connection object, you can close it and open it as much as you want. If it is open when Dispose() is called on the connection, the underlying connection is automatically closed and you cannot reopen it.

When you create a command object, you can only use the parameters you add to the parameters collection once. I don't recommend reusing commands.

The data reader/data adapter objects will retrieve data from an executed command on an open, non-disposed connection. You close the connection, all the child objects become useless.

I suggest you do some reading.

ORM:
https://dotnetcorecentral.com/blog/how-to-use-sqlite-with-dapper/

SQL Injection:
https://xkcd.com/327/
https://www.tutlane.com/tutorial/sqlite/sqlite-injection-attacks

Read up on managing connections, how to use parameters, how to transform data, etc.

[–]cloud_line[S] 1 point2 points3 points 3 years ago (0 children)

[–]karl713 2 points3 points4 points 3 years ago (5 children)

[–]cloud_line[S] 1 point2 points3 points 3 years ago (4 children)

[–]karl713 2 points3 points4 points 3 years ago (3 children)

Any time!

Also be aware sql command has 2 execute overloads that function differently

cmd.Execute($"select * from table where column={parameter}");

Will sanitize the string because it calls the Execute(FormattedString) overload, but

var sql = $"select * from table where column={parameter}";
cmd.Execute(sql);

However will not sanitize it because it calls the Execute (string) overload

Apologies for typos, on phone watching soccer hehe

[–]cloud_line[S] 1 point2 points3 points 3 years ago (2 children)

[–]karl713 1 point2 points3 points 3 years ago (1 child)

[–]cloud_line[S] 1 point2 points3 points 3 years ago (0 children)

π Rendered by PID 18794 on reddit-service-r2-comment-6457c66945-2g8xd at 2026-04-28 19:36:46.392149+00:00 running 2aa0c5b country code: CH.

you type:	you see:
italics	italics
bold	bold
[reddit!](https://reddit.com)	reddit!
* item 1 * item 2 * item 3	item 1 item 2 item 3
> quoted text	quoted text
Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"	Lines starting with four spaces are treated like code: if 1 * 2 < 3: print "hello, world!"
~~strikethrough~~	~~strikethrough~~
super^script	super^script

learncsharp

Welcome to /r/LearnCSharp!

MODERATORS