parameterized query
-
hi how do i specify criterior using textbox and button in form1 and display results using textbox controls in form2? thanks! =) -- modifed at 21:12 Thursday 25th August, 2005
Hi, u can do in this way. string sql = "select * from tabel1 where column1 = '" + txtCol1.Text.Trim() + "'"; Now result is something say a string result. You create the object of Form2 and assign the value to textbox on it. Form2 frm = new Form2(); frm.txtResult.Text = result; frm.Show(); :-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
-
Hi, u can do in this way. string sql = "select * from tabel1 where column1 = '" + txtCol1.Text.Trim() + "'"; Now result is something say a string result. You create the object of Form2 and assign the value to textbox on it. Form2 frm = new Form2(); frm.txtResult.Text = result; frm.Show(); :-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
hi sorry, im afraid i don get you. do you mind having a look here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbwlkwalkthroughdisplayingdatainwindowsformusingparameterizedquery.asp i did something like that and it worked. but i do not want the data to be displayed in the same form as the textbox and button. what should i do to allow user to type and send query in form1 and for data to show in another form (form2)? please explain as simply as you can because im just a beginner. i appreciate your effort and reply. thank you! =)
-
hi sorry, im afraid i don get you. do you mind having a look here: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/vbcon/html/vbwlkwalkthroughdisplayingdatainwindowsformusingparameterizedquery.asp i did something like that and it worked. but i do not want the data to be displayed in the same form as the textbox and button. what should i do to allow user to type and send query in form1 and for data to show in another form (form2)? please explain as simply as you can because im just a beginner. i appreciate your effort and reply. thank you! =)
-
jdkulkarni wrote: Ok, just tell me what do u get as a result after executing the query? do you mean what do i want to achieve for my app or what did i get by following the steps in the url? if u meant what i want to achieve, i want to let user type any ID no. in textbox1 as a criteria for their search (my access db will then get only the data belonging to THAT ID no. only). they'll press GO (button1) which sends query to db. and the data is to be shown in textbox controls placed in a 2nd form, which is a different form from where i placed textbox and button. if u meant what i got from the steps i followed in that url, i managed to get the specified data that i want from db but the data is displayed in textboxes in the same form as textbox1 and button1. thanks!
-
jdkulkarni wrote: Ok, just tell me what do u get as a result after executing the query? do you mean what do i want to achieve for my app or what did i get by following the steps in the url? if u meant what i want to achieve, i want to let user type any ID no. in textbox1 as a criteria for their search (my access db will then get only the data belonging to THAT ID no. only). they'll press GO (button1) which sends query to db. and the data is to be shown in textbox controls placed in a 2nd form, which is a different form from where i placed textbox and button. if u meant what i got from the steps i followed in that url, i managed to get the specified data that i want from db but the data is displayed in textboxes in the same form as textbox1 and button1. thanks!
So, After pressing the button on form1, a query is fired on databse and u get something in back. Your code may be looking like this. private void button_click(object sender, EventArgs arg) { string sql = "SELECT * FROM SomeTable WHERE id = '" + txtId.Text + "'"; // Execute the query and you get some data. say u get a string. // You can just do like this. Add a new form to your project. // Put a text box control on it and make it public. Form2 frm = new Form2(); frm.Textbox2.Text = resultStringFromFirstForm; this.Hide(); frm.Show(); } Hope this may help.:-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
-
So, After pressing the button on form1, a query is fired on databse and u get something in back. Your code may be looking like this. private void button_click(object sender, EventArgs arg) { string sql = "SELECT * FROM SomeTable WHERE id = '" + txtId.Text + "'"; // Execute the query and you get some data. say u get a string. // You can just do like this. Add a new form to your project. // Put a text box control on it and make it public. Form2 frm = new Form2(); frm.Textbox2.Text = resultStringFromFirstForm; this.Hide(); frm.Show(); } Hope this may help.:-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
while i try out what u said, this is what i did when i followed the steps in url. private void button1_Click(object sender, System.EventArgs e) { oleDbDataAdapter1.SelectCommand.Parameters["ContactID"].Value = textBox1.Text; dataSet21.Clear(); oleDbDataAdapter1.Fill(dataSet21); } looks quite different from what u gave me.. i'll try yours out now.. =)
-
Hi, u can do in this way. string sql = "select * from tabel1 where column1 = '" + txtCol1.Text.Trim() + "'"; Now result is something say a string result. You create the object of Form2 and assign the value to textbox on it. Form2 frm = new Form2(); frm.txtResult.Text = result; frm.Show(); :-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
jdkulkarni wrote: string sql = "select * from tabel1 where column1 = '" + txtCol1.Text.Trim() + "'"; Very bad idea to form SQL statements by concatenating strings. It's a huge security vulnerabilty. See this article[^]. It explains parameterized queries, that avoid this and other problems. -- LuisR
Luis Alonso Ramos Intelectix - Chihuahua, Mexico Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
-
while i try out what u said, this is what i did when i followed the steps in url. private void button1_Click(object sender, System.EventArgs e) { oleDbDataAdapter1.SelectCommand.Parameters["ContactID"].Value = textBox1.Text; dataSet21.Clear(); oleDbDataAdapter1.Fill(dataSet21); } looks quite different from what u gave me.. i'll try yours out now.. =)
Ok, here I'm clear now. U do not need to change the code which u r using. U r getting dataset from database. Now u can follow steps what i send before. Form2 frm = new Form2(); frm.txtData.Text = ds.Tables[0].Rows[0][""].ToString(); this.Hide(); frm.Show(); :-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
-
jdkulkarni wrote: string sql = "select * from tabel1 where column1 = '" + txtCol1.Text.Trim() + "'"; Very bad idea to form SQL statements by concatenating strings. It's a huge security vulnerabilty. See this article[^]. It explains parameterized queries, that avoid this and other problems. -- LuisR
Luis Alonso Ramos Intelectix - Chihuahua, Mexico Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
-
Ok, here I'm clear now. U do not need to change the code which u r using. U r getting dataset from database. Now u can follow steps what i send before. Form2 frm = new Form2(); frm.txtData.Text = ds.Tables[0].Rows[0][""].ToString(); this.Hide(); frm.Show(); :-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
hope to solve this problem today. thanks for your time and effort, friend. =) unfortunately, the codes didnt work. i did this in form1> oleDbDataAdapter1.SelectCommand.Parameters["ContactID"].Value = textBox1.Text; dataSet11.Clear(); oleDbDataAdapter1.Fill(dataSet11); dono.Form2 frm = new dono.Form2(); frm.textBox1.Text = dataSet11.Tables[0].Rows[0][""].ToString(); >>i think something's wrong here.. but i donno what is it.. this.Hide(); frm.Show(); just to tell u i used databinding to all my textboxes in form2.
-
hope to solve this problem today. thanks for your time and effort, friend. =) unfortunately, the codes didnt work. i did this in form1> oleDbDataAdapter1.SelectCommand.Parameters["ContactID"].Value = textBox1.Text; dataSet11.Clear(); oleDbDataAdapter1.Fill(dataSet11); dono.Form2 frm = new dono.Form2(); frm.textBox1.Text = dataSet11.Tables[0].Rows[0][""].ToString(); >>i think something's wrong here.. but i donno what is it.. this.Hide(); frm.Show(); just to tell u i used databinding to all my textboxes in form2.
Hey, u r missing column index or columnname. dataSet11.Tables[0].Rows[0]["ColumnName"].ToString(); Rest is ok. If it throws error please let me know the error. Sorry for missing the column index parameter. Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
-
Hey, u r missing column index or columnname. dataSet11.Tables[0].Rows[0]["ColumnName"].ToString(); Rest is ok. If it throws error please let me know the error. Sorry for missing the column index parameter. Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
sorry, i guess my information/description of problem is not clear so u are still not 100% clear about what im doing, is that so? i know u are more expert than me, while im just a beginner. but somehow, i suppose the above solution still will not solve my problem. would u mind if i send u some sample codes and run my codes to see what im actually doing? i've trouble explaining to u clearly as im not sure of those terms/acronyms.
-
sorry, i guess my information/description of problem is not clear so u are still not 100% clear about what im doing, is that so? i know u are more expert than me, while im just a beginner. but somehow, i suppose the above solution still will not solve my problem. would u mind if i send u some sample codes and run my codes to see what im actually doing? i've trouble explaining to u clearly as im not sure of those terms/acronyms.
-
i emailed u. not sure if u will be looking at my email. if u are, i've an access db attached to the email. please open table named Patient. feel free to ask me if you are unsure about anything. thank you really much!:-D
Hi, I did not receive the database. But the code looks ok. I'm sending sample code with this answer. I'm simple code snippet. /*****************FORM1********************************/ using System; using System.Drawing; using System.Collections; using System.ComponentModel; using System.Windows.Forms; using System.Data; namespace dono { /// /// Summary description for Form1. /// public class Form1 : System.Windows.Forms.Form { private System.Windows.Forms.Button button1; private System.Windows.Forms.TextBox textBox1; private System.Data.OleDb.OleDbDataAdapter oleDbDataAdapter1; private System.Data.OleDb.OleDbCommand oleDbSelectCommand1; private System.Data.OleDb.OleDbCommand oleDbInsertCommand1; private System.Data.OleDb.OleDbCommand oleDbUpdateCommand1; private System.Data.OleDb.OleDbCommand oleDbDeleteCommand1; private System.Data.OleDb.OleDbConnection oleDbConnection1; /// /// Required designer variable. /// private System.ComponentModel.Container components = null; public Form1() { // // Required for Windows Form Designer support // InitializeComponent(); // // TODO: Add any constructor code after InitializeComponent call // } /// /// Clean up any resources being used. /// protected override void Dispose( bool disposing ) { if( disposing ) { if (components != null) { components.Dispose(); } } base.Dispose( disposing ); } #region Windows Form Designer generated code /// /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// private void InitializeComponent() { this.button1 = new System.Windows.Forms.Button(); this.textBox1 = new System.Windows.Forms.TextBox(); this.oleDbDataAdapter1 = new System.Data.OleDb.OleDbDataAdapter(); this.oleDbDeleteCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbConnection1 = new System.Data.OleDb.OleDbConnection(); this.oleDbInsertCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbSelectCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbUpdateCommand1 = new System.Data.OleDb.OleDbCommand(); this.SuspendLayout(); // // button1 // this.button1.Location = new System.Drawing.Point(256, 112);
-
jdkulkarni wrote: Ya, I know. It is not a secure way if used on WEB. but for winform application, i dont think it is a big issue. So, anyone may login on your winform application by using this password ' OR 1=1 -- I see dead pixels Yes, even I am blogging now! -- modified at 8:14 Friday 26th August, 2005
-
jdkulkarni wrote: i dont think it is a big issue. This is the attitude that creates insecure software. The only reason to dynamically create sql statements is if your rdbms doesn't support stored procs, but even then there are ways to mitigate security vulnerabilities.
-
jdkulkarni wrote: i dont think it is a big issue. This is the attitude that creates insecure software. The only reason to dynamically create sql statements is if your rdbms doesn't support stored procs, but even then there are ways to mitigate security vulnerabilities.
-
jdkulkarni wrote: I'm not in support of Dynamic query. I strictly use SP's and encryptions while bulding dynamic query Seems a bit contradictory to me. :doh: :laugh:
-
Just type something with a ' in there and you code will blow up. If you have a text box where I enter a date, and I change the culture of the operating system, you'll get erroneous date. It's really easy to have parameterized queries, and even access has them. Compare this:
string sql = "SELECT * FROM Users WHERE UserName = '" + txtUserName.Text "' AND Password = '" + txtPassword.Text + "'"; OleDbCommand cmd = new OleDbCommand(cmd, conn);to this:
string sql = "SELECT * FROM Users WHERE UserName = ? AND Password = ?"; OleDbCommand cmd = new OleDbCommand(cmd, conn); cmd.Parameters.Add("", txtUserName.Text); // In Access, parameter name doesn't cmd.Parameters.Add("", txtPassword.Text); // matter, it's by positionEasier to read in my opinion, way much more secure and robust, and easier to maintain. -- LuisR
Luis Alonso Ramos Intelectix - Chihuahua, Mexico Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005