Hello
I have SQL queries assembled by user inputted(?) data, ofcourse I want to avoid SQL injections.
Normally I would do something like this=
SELECT * FROM Users WHERE Username = ?
And then pass parameters to replace the "?".
But now, in this case, "Username" is also a variable passed by the user (coming from a filter query parameter in a REST api)
I tried this:
SELECT * FROM Users WHERE ? = ?
And then passing "Username" and the the actual Username as parameters. However, the SQL class doesn't seem to support this as the resultset is closed after trying to read data out of it.
How can I safely escape the string "Username" to be used in a WHERE clause and then pass it without SQL injection possibility?
Thanks a bunch!