I am using MySqlCommand to bind parameters so things are properly escaped and sanitized but I'm not directly executing the command on the machine that generates it. I need to send it as raw SQL to another machine that executes it.
Right now I'm manually looping through parameters and replacing the CommandText but this doesn't do any of the sensitization. Anyone have any idea how to generate the SQL that is sent on .ExecuteNonQuery() ?
解决方案
It's because it's not just like calling String.Replace() on the query.
Parameterized queries are actually handled differently by the RDBMS than plain queries, so it's not as simple as having some sort of "RawQuery" property. The only way to do this is to "roll your own", using info from this answer.