SQL or query
-
Hi again, Now I have been told I have to finish this by Monday. What a boss ha. They told me to not worry about sql innjection attacks at the moment because thats not what they are judging me on. This is what I am trying to do :-D string sql = "select * from employees where employeeID= '" + empNamecomboBox.SelectedValue.ToString() + "'"; string sql = "select * from employees where employeeID= '" + empNamecomboBox.SelectedValue.ToString() + "' select * from Role where RoleID = '" + rolecomboBox.SelectedValue.ToString() + "')"; the employees part searches, but when I na from the employee drop down and want to search on role, this statment brings up nothing for role. Do I need to do an or or something similar? The one with the smiley face works, its just when I try to add the other drop down list queries it doesn't.
-
Hi again, Now I have been told I have to finish this by Monday. What a boss ha. They told me to not worry about sql innjection attacks at the moment because thats not what they are judging me on. This is what I am trying to do :-D string sql = "select * from employees where employeeID= '" + empNamecomboBox.SelectedValue.ToString() + "'"; string sql = "select * from employees where employeeID= '" + empNamecomboBox.SelectedValue.ToString() + "' select * from Role where RoleID = '" + rolecomboBox.SelectedValue.ToString() + "')"; the employees part searches, but when I na from the employee drop down and want to search on role, this statment brings up nothing for role. Do I need to do an or or something similar? The one with the smiley face works, its just when I try to add the other drop down list queries it doesn't.
Hello,
falles01 wrote:
hey told me to not worry about sql innjection attacks at the moment because thats not what they are judging me on.
Ok, but you really should read what Colin suggested 7hr ago: http://www.codeproject.com/script/comments/forums.asp?msg=2196907&forumid=1649#xx2196907xx[^] There you would find this nice example (uses 'AND'):
// Get the valid user name and friendly name of the favourite int uid = this.GetUserID(); string friendlyName = this.GetFriendlyName(); // Create the SQL statement to retrieve the search criteria string sql = string.Format("SELECT Criteria FROM Favourites "+ "WHERE UserID={0} AND FriendlyName='{1}'", uid, friendlyName); SqlCommand cmd = new SqlCommand(sql, this.Connection); string criteria = cmd.ExecuteScalar(); // Do the search sql = string.Format("SELECT * FROM Products WHERE ProductName = '{0}'", criteria); SqlDataAdapter da = new SqlDataAdapter(sql, this.Connection); da.Fill(this.productDataSet);All the best, Martin
-
Hi again, Now I have been told I have to finish this by Monday. What a boss ha. They told me to not worry about sql innjection attacks at the moment because thats not what they are judging me on. This is what I am trying to do :-D string sql = "select * from employees where employeeID= '" + empNamecomboBox.SelectedValue.ToString() + "'"; string sql = "select * from employees where employeeID= '" + empNamecomboBox.SelectedValue.ToString() + "' select * from Role where RoleID = '" + rolecomboBox.SelectedValue.ToString() + "')"; the employees part searches, but when I na from the employee drop down and want to search on role, this statment brings up nothing for role. Do I need to do an or or something similar? The one with the smiley face works, its just when I try to add the other drop down list queries it doesn't.
falles01 wrote:
string sql = "select * from employees where employeeID= '" + empNamecomboBox.SelectedValue.ToString() + "' select * from Role where RoleID = '" + rolecomboBox.SelectedValue.ToString() + "')";
try an put a MessageBox.Show(sql); after you make this string and see whats being made. I think there is this extra ) at the end or this SQL Query is incomplete. I Can't understand why u'r having 2 selects in one SQL Statement.
Rocky You can't climb up a ladder with your hands in your pockets.
-
Hello,
falles01 wrote:
hey told me to not worry about sql innjection attacks at the moment because thats not what they are judging me on.
Ok, but you really should read what Colin suggested 7hr ago: http://www.codeproject.com/script/comments/forums.asp?msg=2196907&forumid=1649#xx2196907xx[^] There you would find this nice example (uses 'AND'):
// Get the valid user name and friendly name of the favourite int uid = this.GetUserID(); string friendlyName = this.GetFriendlyName(); // Create the SQL statement to retrieve the search criteria string sql = string.Format("SELECT Criteria FROM Favourites "+ "WHERE UserID={0} AND FriendlyName='{1}'", uid, friendlyName); SqlCommand cmd = new SqlCommand(sql, this.Connection); string criteria = cmd.ExecuteScalar(); // Do the search sql = string.Format("SELECT * FROM Products WHERE ProductName = '{0}'", criteria); SqlDataAdapter da = new SqlDataAdapter(sql, this.Connection); da.Fill(this.productDataSet);All the best, Martin
-
Hello,
falles01 wrote:
hey told me to not worry about sql innjection attacks at the moment because thats not what they are judging me on.
Ok, but you really should read what Colin suggested 7hr ago: http://www.codeproject.com/script/comments/forums.asp?msg=2196907&forumid=1649#xx2196907xx[^] There you would find this nice example (uses 'AND'):
// Get the valid user name and friendly name of the favourite int uid = this.GetUserID(); string friendlyName = this.GetFriendlyName(); // Create the SQL statement to retrieve the search criteria string sql = string.Format("SELECT Criteria FROM Favourites "+ "WHERE UserID={0} AND FriendlyName='{1}'", uid, friendlyName); SqlCommand cmd = new SqlCommand(sql, this.Connection); string criteria = cmd.ExecuteScalar(); // Do the search sql = string.Format("SELECT * FROM Products WHERE ProductName = '{0}'", criteria); SqlDataAdapter da = new SqlDataAdapter(sql, this.Connection); da.Fill(this.productDataSet);All the best, Martin
-
Hi again, Now I have been told I have to finish this by Monday. What a boss ha. They told me to not worry about sql innjection attacks at the moment because thats not what they are judging me on. This is what I am trying to do :-D string sql = "select * from employees where employeeID= '" + empNamecomboBox.SelectedValue.ToString() + "'"; string sql = "select * from employees where employeeID= '" + empNamecomboBox.SelectedValue.ToString() + "' select * from Role where RoleID = '" + rolecomboBox.SelectedValue.ToString() + "')"; the employees part searches, but when I na from the employee drop down and want to search on role, this statment brings up nothing for role. Do I need to do an or or something similar? The one with the smiley face works, its just when I try to add the other drop down list queries it doesn't.
This is two statements. Try running them seperately. Also, you're still passing Ids as strings, I assume this means they are strings in the DB, which is not efficient at all.
Christian Graus - Microsoft MVP - C++ "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
-
This is two statements. Try running them seperately. Also, you're still passing Ids as strings, I assume this means they are strings in the DB, which is not efficient at all.
Christian Graus - Microsoft MVP - C++ "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
Yes you are right. I thought the following worked because I was testing them one by one, but if I want to search on the employee (being the first statement), then I can't. I can only search on division. I am guessing I need to put it in one statement. Could you show me with the correct notation how to do that? Also I was informed of the string sql from somewhere, but what do you suggest in place of that? string sql = "select * from employees where employeeID= '" + empNamecomboBox.SelectedValue.ToString() + "' or managerID = '" + managercomboBox.SelectedValue.ToString() + "' or DivisionID = '" + divisioncomboBox.SelectedValue.ToString() + "' or RoleID = '" + rolecomboBox.SelectedValue.ToString() + "'"; sql = "select * from Role where RoleID= '" + rolecomboBox.SelectedValue.ToString() + "'"; sql = "select * from Manager where ManagerID= '" + managercomboBox.SelectedValue.ToString() + "'"; sql = "select * from Division where DivisionID= '" + divisioncomboBox.SelectedValue.ToString() + "'";
-
This is two statements. Try running them seperately. Also, you're still passing Ids as strings, I assume this means they are strings in the DB, which is not efficient at all.
Christian Graus - Microsoft MVP - C++ "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )