Too many literals in the string..
-
Can you double check my syntax on this? I keep getting an error of too many literals in the string ScnQuestionNo and MeasID are number fields
string strInsert ="Insert INTO DataElements (Checked, Requirement, RequirementTitle," + " MeasID,DeNr, Duplicate, LiveQuestionNo, ScnQuestionNo, DataElement, Form, QType," + " Format, [Default], SME, [User], SA, IASME, Security, [Table], FieldName," + " TQScenario, TQLive, Subtitle, DA) Values (" + Convert.ToInt16(ckChecked.Checked) + ",'" + Requirement.Text + "','" +RequirementTitle.Text+ "'," + MeasID.Text + ",'" + DeNr.Text + "'," + Convert.ToInt16(ckDuplicate.Checked) + ",'" + LiveQuestionNo.Text + "'," + ScnQuestionNo.Text + ",'" + DataElement.Text + "','" + Form.SelectedValue + "','" + QType.SelectedValue + "','" + Format.Text + "','" + Default.Text + "'," + Convert.ToInt16(ckSME.Checked) + "," + Convert.ToInt16(ckUser.Checked) + "," + Convert.ToInt16(ckSA.Checked) + "," + Convert.ToInt16(ckIASME.Checked) + "," + Convert.ToInt16(ckSecurity.Checked) + ",'" + TableName.SelectedValue + "','" + FieldName.Text + "'," + Convert.ToInt16(ckTQScenario.Checked) + "," + Convert.ToInt16(ckTQLive.Checked) + ",'" + Subtitle.Text + "'," + Convert.ToInt16(ckDA.Checked) + ")";Here's my debug output:strInsert: "Insert INTO DataElements (Checked, Requirement, RequirementTitle, MeasID,DeNr, Duplicate, LiveQuestionNo, ScnQuestionNo, DataElement, Form, QType, Format, [Default], SME, [User], SA, IASME, Security, [Table], FieldName, TQScenario, TQLive, Subtitle, DA) Values (0,'Unk','Unk',,'DE 0.1.17',0,'',,'Last four digits of SSN','Demographics','N/A','char','',0,0,0,0,0,'Demographics','LastFour',0,0,'N/A',0)"Now I get"Line 1: Incorrect syntax near ','." -
Can you double check my syntax on this? I keep getting an error of too many literals in the string ScnQuestionNo and MeasID are number fields
string strInsert ="Insert INTO DataElements (Checked, Requirement, RequirementTitle," + " MeasID,DeNr, Duplicate, LiveQuestionNo, ScnQuestionNo, DataElement, Form, QType," + " Format, [Default], SME, [User], SA, IASME, Security, [Table], FieldName," + " TQScenario, TQLive, Subtitle, DA) Values (" + Convert.ToInt16(ckChecked.Checked) + ",'" + Requirement.Text + "','" +RequirementTitle.Text+ "'," + MeasID.Text + ",'" + DeNr.Text + "'," + Convert.ToInt16(ckDuplicate.Checked) + ",'" + LiveQuestionNo.Text + "'," + ScnQuestionNo.Text + ",'" + DataElement.Text + "','" + Form.SelectedValue + "','" + QType.SelectedValue + "','" + Format.Text + "','" + Default.Text + "'," + Convert.ToInt16(ckSME.Checked) + "," + Convert.ToInt16(ckUser.Checked) + "," + Convert.ToInt16(ckSA.Checked) + "," + Convert.ToInt16(ckIASME.Checked) + "," + Convert.ToInt16(ckSecurity.Checked) + ",'" + TableName.SelectedValue + "','" + FieldName.Text + "'," + Convert.ToInt16(ckTQScenario.Checked) + "," + Convert.ToInt16(ckTQLive.Checked) + ",'" + Subtitle.Text + "'," + Convert.ToInt16(ckDA.Checked) + ")";Here's my debug output:strInsert: "Insert INTO DataElements (Checked, Requirement, RequirementTitle, MeasID,DeNr, Duplicate, LiveQuestionNo, ScnQuestionNo, DataElement, Form, QType, Format, [Default], SME, [User], SA, IASME, Security, [Table], FieldName, TQScenario, TQLive, Subtitle, DA) Values (0,'Unk','Unk',,'DE 0.1.17',0,'',,'Last four digits of SSN','Demographics','N/A','char','',0,0,0,0,0,'Demographics','LastFour',0,0,'N/A',0)"Now I get"Line 1: Incorrect syntax near ','."Whoah - that is one really insecure statement. Have you considered what this is going to do if you become the victim of a Sql Injection Attack[^]? Please reconsider before you go any further down this path.
Deja View - the feeling that you've seen this post before.
-
Whoah - that is one really insecure statement. Have you considered what this is going to do if you become the victim of a Sql Injection Attack[^]? Please reconsider before you go any further down this path.
Deja View - the feeling that you've seen this post before.
-
I am on an Govt Secure server. That is not actually out on the web. I don't have to worry about a SQL Injection Attack. I am no skilled programmer, nor trained, this is the only way I know how to do what I am doing. :(
Ibuprofen wrote:
I am on an Govt Secure server. That is not actually out on the web. I don't have to worry about a SQL Injection Attack.
What? You think that public sector workers are all above reproach. SQL Injection attacks can occur ANYWHERE where the code is running unprotected. Take the advice given in the article and use it - it will make your code easier to use AND more secure. You won't have to worry about balancing apostrophes.
Deja View - the feeling that you've seen this post before.
-
Ibuprofen wrote:
I am on an Govt Secure server. That is not actually out on the web. I don't have to worry about a SQL Injection Attack.
What? You think that public sector workers are all above reproach. SQL Injection attacks can occur ANYWHERE where the code is running unprotected. Take the advice given in the article and use it - it will make your code easier to use AND more secure. You won't have to worry about balancing apostrophes.
Deja View - the feeling that you've seen this post before.
Anyone that uses my application, has a security clearance, you have to have access to our network, to get to the application, if any of the people cause a SQL Injection attack. Well then, that will end with a nice prison sentence. I am reading the article, and I will always take whatever help I can get, I am not a trained programmer, the article is a bit above my head.
-
Can you double check my syntax on this? I keep getting an error of too many literals in the string ScnQuestionNo and MeasID are number fields
string strInsert ="Insert INTO DataElements (Checked, Requirement, RequirementTitle," + " MeasID,DeNr, Duplicate, LiveQuestionNo, ScnQuestionNo, DataElement, Form, QType," + " Format, [Default], SME, [User], SA, IASME, Security, [Table], FieldName," + " TQScenario, TQLive, Subtitle, DA) Values (" + Convert.ToInt16(ckChecked.Checked) + ",'" + Requirement.Text + "','" +RequirementTitle.Text+ "'," + MeasID.Text + ",'" + DeNr.Text + "'," + Convert.ToInt16(ckDuplicate.Checked) + ",'" + LiveQuestionNo.Text + "'," + ScnQuestionNo.Text + ",'" + DataElement.Text + "','" + Form.SelectedValue + "','" + QType.SelectedValue + "','" + Format.Text + "','" + Default.Text + "'," + Convert.ToInt16(ckSME.Checked) + "," + Convert.ToInt16(ckUser.Checked) + "," + Convert.ToInt16(ckSA.Checked) + "," + Convert.ToInt16(ckIASME.Checked) + "," + Convert.ToInt16(ckSecurity.Checked) + ",'" + TableName.SelectedValue + "','" + FieldName.Text + "'," + Convert.ToInt16(ckTQScenario.Checked) + "," + Convert.ToInt16(ckTQLive.Checked) + ",'" + Subtitle.Text + "'," + Convert.ToInt16(ckDA.Checked) + ")";Here's my debug output:strInsert: "Insert INTO DataElements (Checked, Requirement, RequirementTitle, MeasID,DeNr, Duplicate, LiveQuestionNo, ScnQuestionNo, DataElement, Form, QType, Format, [Default], SME, [User], SA, IASME, Security, [Table], FieldName, TQScenario, TQLive, Subtitle, DA) Values (0,'Unk','Unk',,'DE 0.1.17',0,'',,'Last four digits of SSN','Demographics','N/A','char','',0,0,0,0,0,'Demographics','LastFour',0,0,'N/A',0)"Now I get"Line 1: Incorrect syntax near ','." -
Anyone that uses my application, has a security clearance, you have to have access to our network, to get to the application, if any of the people cause a SQL Injection attack. Well then, that will end with a nice prison sentence. I am reading the article, and I will always take whatever help I can get, I am not a trained programmer, the article is a bit above my head.
Still no excuse for poor coding techniques. As Pete said, an attack can occur ANYWHERE. Do you want to handle it after the fact, if it is ever detected at all, or prevent it from happening in the first place?
only two letters away from being an asset
-
Can you double check my syntax on this? I keep getting an error of too many literals in the string ScnQuestionNo and MeasID are number fields
string strInsert ="Insert INTO DataElements (Checked, Requirement, RequirementTitle," + " MeasID,DeNr, Duplicate, LiveQuestionNo, ScnQuestionNo, DataElement, Form, QType," + " Format, [Default], SME, [User], SA, IASME, Security, [Table], FieldName," + " TQScenario, TQLive, Subtitle, DA) Values (" + Convert.ToInt16(ckChecked.Checked) + ",'" + Requirement.Text + "','" +RequirementTitle.Text+ "'," + MeasID.Text + ",'" + DeNr.Text + "'," + Convert.ToInt16(ckDuplicate.Checked) + ",'" + LiveQuestionNo.Text + "'," + ScnQuestionNo.Text + ",'" + DataElement.Text + "','" + Form.SelectedValue + "','" + QType.SelectedValue + "','" + Format.Text + "','" + Default.Text + "'," + Convert.ToInt16(ckSME.Checked) + "," + Convert.ToInt16(ckUser.Checked) + "," + Convert.ToInt16(ckSA.Checked) + "," + Convert.ToInt16(ckIASME.Checked) + "," + Convert.ToInt16(ckSecurity.Checked) + ",'" + TableName.SelectedValue + "','" + FieldName.Text + "'," + Convert.ToInt16(ckTQScenario.Checked) + "," + Convert.ToInt16(ckTQLive.Checked) + ",'" + Subtitle.Text + "'," + Convert.ToInt16(ckDA.Checked) + ")";Here's my debug output:strInsert: "Insert INTO DataElements (Checked, Requirement, RequirementTitle, MeasID,DeNr, Duplicate, LiveQuestionNo, ScnQuestionNo, DataElement, Form, QType, Format, [Default], SME, [User], SA, IASME, Security, [Table], FieldName, TQScenario, TQLive, Subtitle, DA) Values (0,'Unk','Unk',,'DE 0.1.17',0,'',,'Last four digits of SSN','Demographics','N/A','char','',0,0,0,0,0,'Demographics','LastFour',0,0,'N/A',0)"Now I get"Line 1: Incorrect syntax near ','."In additional to researching sql paramaters, you should look at StringBuilder[^]
only two letters away from being an asset
-
Anyone that uses my application, has a security clearance, you have to have access to our network, to get to the application, if any of the people cause a SQL Injection attack. Well then, that will end with a nice prison sentence. I am reading the article, and I will always take whatever help I can get, I am not a trained programmer, the article is a bit above my head.
Ibuprofen wrote:
Anyone that uses my application, has a security clearance
The vast majority of security breaches are inside jobs.
Ibuprofen wrote:
if any of the people cause a SQL Injection attack. Well then, that will end with a nice prison sentence.
If they get caught!
Ibuprofen wrote:
I am not a trained programmer, the article is a bit above my head
I wrote the article. If I can help you understand it then let me know what you'd like help with.
Upcoming FREE developer events: * Developer! Developer! Developer! 6 * Developer Day Scotland My website