input string not in a correct format
-
hi all, i progarmming a forms that insert data from form to database table and i never do any require field in database or in code but i alwayes have exception "input string not in a correct format" untill i fill all the field required and not required pleae help haytham
-
hi all, i progarmming a forms that insert data from form to database table and i never do any require field in database or in code but i alwayes have exception "input string not in a correct format" untill i fill all the field required and not required pleae help haytham
Ara you sure that your sql sentence is well created? It must be a problem in your code, once creating the sql string. I think is not a problem with the DB and the required fields. Why don't you put a pice of your code (where you create the sql sentence), with this information will be difficult to help you (almost for me :)). Bye! "Catalonia is not Spain"
-
hi all, i progarmming a forms that insert data from form to database table and i never do any require field in database or in code but i alwayes have exception "input string not in a correct format" untill i fill all the field required and not required pleae help haytham
I'll bet money your using string concantenation to build your SQL statement, aren't you? RageInTheMachine9532 "...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
-
I'll bet money your using string concantenation to build your SQL statement, aren't you? RageInTheMachine9532 "...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
-
Hello Thanks for your reply ... i am not understand what you mean please make it simply and plz give me example thanks
It means you're adding strings together to build an SQL statement. Something like this:
string mySqlStatement = "SELECT * FROM someTable WHERE parm1=" + parm1.ToString() + " AND parm2='" + parm2TextBox.Text + "'"
Don't EVER do this. Use parameterized queries instead. RageInTheMachine9532 "...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
-
It means you're adding strings together to build an SQL statement. Something like this:
string mySqlStatement = "SELECT * FROM someTable WHERE parm1=" + parm1.ToString() + " AND parm2='" + parm2TextBox.Text + "'"
Don't EVER do this. Use parameterized queries instead. RageInTheMachine9532 "...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
I do always use like this and always works! :doh: Why you don't suggest him to do it? Bye! "Catalonia is not Spain"
-
I do always use like this and always works! :doh: Why you don't suggest him to do it? Bye! "Catalonia is not Spain"
Sure it works, but it's SO vulnerable it's almost funny! Consider the following code:
// Put together the SQL Statement:
// SELECT COUNT(*) FROM Users WHERE username=? AND userpass=?
//
string mySQLStatement = "select count(*) from users where userName='" + userName.Text + "' and userPass='" + userPassword.Text + "'"Now, if the attack enters:
Username: ' OR 1=1 --
Password: anythingThe SQL Statement becomes:
SELECT COUNT(*) FROM Users WHERE username='' OR 1=1 --' AND userpass='anything'
Well, in SQL syntax, two consecutive dashes in a row (--) is a comment, just like // is C++ or C# is a comment or ' in VB. So you real SQL statement now looks like:
SELECT COUNT(*) FROM Users WHERE username='' OR 1=1
The result form the SQL statement will always be the number of records in the table, never 0. Search the web for "SQL Injection Attacks" to find out more and see lots of example of how to break cheap code like this. RageInTheMachine9532 "...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
-
Sure it works, but it's SO vulnerable it's almost funny! Consider the following code:
// Put together the SQL Statement:
// SELECT COUNT(*) FROM Users WHERE username=? AND userpass=?
//
string mySQLStatement = "select count(*) from users where userName='" + userName.Text + "' and userPass='" + userPassword.Text + "'"Now, if the attack enters:
Username: ' OR 1=1 --
Password: anythingThe SQL Statement becomes:
SELECT COUNT(*) FROM Users WHERE username='' OR 1=1 --' AND userpass='anything'
Well, in SQL syntax, two consecutive dashes in a row (--) is a comment, just like // is C++ or C# is a comment or ' in VB. So you real SQL statement now looks like:
SELECT COUNT(*) FROM Users WHERE username='' OR 1=1
The result form the SQL statement will always be the number of records in the table, never 0. Search the web for "SQL Injection Attacks" to find out more and see lots of example of how to break cheap code like this. RageInTheMachine9532 "...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
Very interesting... I didn't know anything about it. And wich is the correct solution? I'm developing a Windows Forms applications (not ASP.NET application). The SQL Injection Attacks can be done to my application or is only a problem of webs? Bye! "Catalonia is not Spain"