I am trying to run a db2 sql statement using the oledb command function in c#. Actually i am running another sql queries at the same way but I am getting following error when executing this query.
[DB2] SQL0104N An unexpected token "?" was found following "". Expected tokens may include: <INTEGER>. SQLSTATE=42601
string sql = @"EXPLAIN PLAN SET QUERYNO =? FOR ? commit;"
using (OleDbCommand cmd = new OleDbCommand(sql, con))
{
cmd.Parameters.AddWithValue("@queryNo", queryNo);
cmd.Parameters.AddWithValue("@query", query);
var result = cmd.ExecuteNonQuery();
}
If I use it with string concatenation it runs correctly but string concatenation can lead to SQL Injection problems. So I need to use parameterized query. How can I fix it?
string sqlPattern = "EXPLAIN PLAN SET QUERYNO ={0} FOR {1}commit;";
string sql = string.Format(sqlPattern, queryNo, query);
EXPLAIN statement:
FOR explainable-sql-statement
... The explainable-sql-statement must be a valid SQL statement that could be prepared and executed independently of the EXPLAIN statement. It cannot be a statement name or host variable.
You can use parameter markers in a statement string (like in an ordinary prepared statement), but you can't use a parameter marker for a whole statement (like for ordinary prepared statement).
If you are afraid of injections, just concatenate the 'EXPLAIN ... ' string constant with a statement text passed by user to construct a final statement.