Database Code Generator
-
You should never use textbox text directly inside your Sql query. See Colin's article on it http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp[^]
Arthur Dent - "That would explain it. All my life I've had this strange feeling that there's something big and sinister going on in the world." Slartibartfast - "No. That's perfectly normal paranoia. Everybody in the universe gets that." Deja View - the feeling that you've seen this post before.
-
In terms of SQL code generation, check out proper databinding and the dataAdapter class. This allows you to set up a query through an adapter, and then bind a textbox to a column(and specific row if necessary) of the result. The dataAdapter will automatically do the SQL generation for loading from / saving back to the db for you. Its good stuff. Check out here[^] for Databinding basics (its in VB, but the concepts are the same), and here[^] for a more advanced view at things (the book is great, I use it all the time as a reference).
That is good, I will look at that. I have just print out the article. Since I am new to database, I have asked this question before, but nobody answered me. here is it and it is from this link http://www.codeproject.com/script/comments/forums.asp?msg=1785663&forumid=1649&mode=all&userid=191012#xx1785663xx[^] ============================================ I want to know which one is better. I see a better benefit on scripting, since any change on the database will enable you to change some code. Here is what I am talking about Assume that I arleady know the database. For instance, I want to connect to an company database to read some information about employee names. Now, I can have a sample of that database and use a wizad to do that. Or I can use the oldbconnection and use sql command to do that. What I like with the wizard, is the fact that every field from the database can be pulled up with intellisense. And very easy to connect those field or the database to windows form component. The problem I see in the wizard, if you don't know much about that dabase in advance and whant to read some field on it. I also see more people or book use the scripting than the wizard. Anyway, all what I want to know which one is better to use; the database wizard or the sql command string which is related to ado.
-
I haven't read the article, but what I did, I passed it to another string. For example, stringName = textBox.Txt; I don't see the difference
Yeah... that does nothing. You need to sanitize user input and that article will explain how. The problem is if something like this happens... The user enters "'); DELETE FROM TableName WHERE 0 = 0;" into your text box then the sql statement becomes:
INSERT INTO TableName(FieldName) VALUES(''); DELETE FROM TableName WHERE 0 = 0;');That means it inserts an empty string into the column and then deletes all rows from the table. -
I haven't read the article, but what I did, I passed it to another string. For example, stringName = textBox.Txt; I don't see the difference
mfcuser wrote:
stringName = textBox.Txt; I don't see the difference
That is still dangerous. Read Colin's article that Pete referred to :)
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
mfcuser wrote:
stringName = textBox.Txt; I don't see the difference
That is still dangerous. Read Colin's article that Pete referred to :)
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
There is nothing wrong with getting user input directly if you sanitise it (which you will still need to do with databinding) and use parameterised queries. See the article, it explains how to go from injecting values directly into a SQL Statement to using parameterised queries.
Upcoming Scottish Developers events: * We are starting a series of events in Glasgow in 2007. Are you interested in a particular subject, or as a speaker? * Developer Day Scotland: are you interested in speaking or attending? My: Website | Blog | Photos
-
mfcuser wrote:
I will start to use databinding rather than getting user input directly
It's not a matter of how you get the user input, but a matter of what the user inputs into the text box that is the security concern. Like Colin said in his post below, you still need to sanitize the input.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
mfcuser wrote:
I will start to use databinding rather than getting user input directly
It's not a matter of how you get the user input, but a matter of what the user inputs into the text box that is the security concern. Like Colin said in his post below, you still need to sanitize the input.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
I still have a problem with sanitization. Assume that the user is going to insert or update a field from a table. The user types something on the textbox. The word or phrase the user types can be anything like "word, letter, number, especial charater or a mixture". There is no way I can determine that in advance. So how can I sanitize that?
-
I still have a problem with sanitization. Assume that the user is going to insert or update a field from a table. The user types something on the textbox. The word or phrase the user types can be anything like "word, letter, number, especial charater or a mixture". There is no way I can determine that in advance. So how can I sanitize that?
Use parameterized queries as stated in Colin's article and you don't have to worry about doing it, the parameterized query will do this behind the scenes for you. It may be extra coding to do the parameterized queries but it is worth it from a security stand point.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
Use parameterized queries as stated in Colin's article and you don't have to worry about doing it, the parameterized query will do this behind the scenes for you. It may be extra coding to do the parameterized queries but it is worth it from a security stand point.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
mfcuser wrote:
Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
Yes, you will. How else is it going to get into the database? All the databinding and funky wizards that Visual Studio provides hide a lot of the actual functionality. You shuould take a look at the code the wizards produce. It isn't the nicest thing to read (generated code often isn't - neither is it to be considered a good way to code either) but it will teach you a fair bit about what is going on under the hood.
Upcoming Scottish Developers events: * We are starting a series of events in Glasgow in 2007. Are you interested in a particular subject, or as a speaker? * Developer Day Scotland: are you interested in speaking or attending? My: Website | Blog | Photos
-
mfcuser wrote:
Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
Yes, you will. How else is it going to get into the database? All the databinding and funky wizards that Visual Studio provides hide a lot of the actual functionality. You shuould take a look at the code the wizards produce. It isn't the nicest thing to read (generated code often isn't - neither is it to be considered a good way to code either) but it will teach you a fair bit about what is going on under the hood.
Upcoming Scottish Developers events: * We are starting a series of events in Glasgow in 2007. Are you interested in a particular subject, or as a speaker? * Developer Day Scotland: are you interested in speaking or attending? My: Website | Blog | Photos
Colin Angus Mackay wrote:
look at the code the wizards produce. It isn't the nicest thing to read
Yep, that sure is the truth :)
If you try to write that in English, I might be able to understand more than a fraction of it. - Guffa