parameterized query
-
Hi, u can do in this way. string sql = "select * from tabel1 where column1 = '" + txtCol1.Text.Trim() + "'"; Now result is something say a string result. You create the object of Form2 and assign the value to textbox on it. Form2 frm = new Form2(); frm.txtResult.Text = result; frm.Show(); :-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
jdkulkarni wrote: string sql = "select * from tabel1 where column1 = '" + txtCol1.Text.Trim() + "'"; Very bad idea to form SQL statements by concatenating strings. It's a huge security vulnerabilty. See this article[^]. It explains parameterized queries, that avoid this and other problems. -- LuisR
Luis Alonso Ramos Intelectix - Chihuahua, Mexico Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
-
while i try out what u said, this is what i did when i followed the steps in url. private void button1_Click(object sender, System.EventArgs e) { oleDbDataAdapter1.SelectCommand.Parameters["ContactID"].Value = textBox1.Text; dataSet21.Clear(); oleDbDataAdapter1.Fill(dataSet21); } looks quite different from what u gave me.. i'll try yours out now.. =)
Ok, here I'm clear now. U do not need to change the code which u r using. U r getting dataset from database. Now u can follow steps what i send before. Form2 frm = new Form2(); frm.txtData.Text = ds.Tables[0].Rows[0][""].ToString(); this.Hide(); frm.Show(); :-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
-
jdkulkarni wrote: string sql = "select * from tabel1 where column1 = '" + txtCol1.Text.Trim() + "'"; Very bad idea to form SQL statements by concatenating strings. It's a huge security vulnerabilty. See this article[^]. It explains parameterized queries, that avoid this and other problems. -- LuisR
Luis Alonso Ramos Intelectix - Chihuahua, Mexico Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
-
Ok, here I'm clear now. U do not need to change the code which u r using. U r getting dataset from database. Now u can follow steps what i send before. Form2 frm = new Form2(); frm.txtData.Text = ds.Tables[0].Rows[0][""].ToString(); this.Hide(); frm.Show(); :-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
hope to solve this problem today. thanks for your time and effort, friend. =) unfortunately, the codes didnt work. i did this in form1> oleDbDataAdapter1.SelectCommand.Parameters["ContactID"].Value = textBox1.Text; dataSet11.Clear(); oleDbDataAdapter1.Fill(dataSet11); dono.Form2 frm = new dono.Form2(); frm.textBox1.Text = dataSet11.Tables[0].Rows[0][""].ToString(); >>i think something's wrong here.. but i donno what is it.. this.Hide(); frm.Show(); just to tell u i used databinding to all my textboxes in form2.
-
hope to solve this problem today. thanks for your time and effort, friend. =) unfortunately, the codes didnt work. i did this in form1> oleDbDataAdapter1.SelectCommand.Parameters["ContactID"].Value = textBox1.Text; dataSet11.Clear(); oleDbDataAdapter1.Fill(dataSet11); dono.Form2 frm = new dono.Form2(); frm.textBox1.Text = dataSet11.Tables[0].Rows[0][""].ToString(); >>i think something's wrong here.. but i donno what is it.. this.Hide(); frm.Show(); just to tell u i used databinding to all my textboxes in form2.
Hey, u r missing column index or columnname. dataSet11.Tables[0].Rows[0]["ColumnName"].ToString(); Rest is ok. If it throws error please let me know the error. Sorry for missing the column index parameter. Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
-
Hey, u r missing column index or columnname. dataSet11.Tables[0].Rows[0]["ColumnName"].ToString(); Rest is ok. If it throws error please let me know the error. Sorry for missing the column index parameter. Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
sorry, i guess my information/description of problem is not clear so u are still not 100% clear about what im doing, is that so? i know u are more expert than me, while im just a beginner. but somehow, i suppose the above solution still will not solve my problem. would u mind if i send u some sample codes and run my codes to see what im actually doing? i've trouble explaining to u clearly as im not sure of those terms/acronyms.
-
sorry, i guess my information/description of problem is not clear so u are still not 100% clear about what im doing, is that so? i know u are more expert than me, while im just a beginner. but somehow, i suppose the above solution still will not solve my problem. would u mind if i send u some sample codes and run my codes to see what im actually doing? i've trouble explaining to u clearly as im not sure of those terms/acronyms.
-
i emailed u. not sure if u will be looking at my email. if u are, i've an access db attached to the email. please open table named Patient. feel free to ask me if you are unsure about anything. thank you really much!:-D
Hi, I did not receive the database. But the code looks ok. I'm sending sample code with this answer. I'm simple code snippet. /*****************FORM1********************************/ using System; using System.Drawing; using System.Collections; using System.ComponentModel; using System.Windows.Forms; using System.Data; namespace dono { /// /// Summary description for Form1. /// public class Form1 : System.Windows.Forms.Form { private System.Windows.Forms.Button button1; private System.Windows.Forms.TextBox textBox1; private System.Data.OleDb.OleDbDataAdapter oleDbDataAdapter1; private System.Data.OleDb.OleDbCommand oleDbSelectCommand1; private System.Data.OleDb.OleDbCommand oleDbInsertCommand1; private System.Data.OleDb.OleDbCommand oleDbUpdateCommand1; private System.Data.OleDb.OleDbCommand oleDbDeleteCommand1; private System.Data.OleDb.OleDbConnection oleDbConnection1; /// /// Required designer variable. /// private System.ComponentModel.Container components = null; public Form1() { // // Required for Windows Form Designer support // InitializeComponent(); // // TODO: Add any constructor code after InitializeComponent call // } /// /// Clean up any resources being used. /// protected override void Dispose( bool disposing ) { if( disposing ) { if (components != null) { components.Dispose(); } } base.Dispose( disposing ); } #region Windows Form Designer generated code /// /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// private void InitializeComponent() { this.button1 = new System.Windows.Forms.Button(); this.textBox1 = new System.Windows.Forms.TextBox(); this.oleDbDataAdapter1 = new System.Data.OleDb.OleDbDataAdapter(); this.oleDbDeleteCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbConnection1 = new System.Data.OleDb.OleDbConnection(); this.oleDbInsertCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbSelectCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbUpdateCommand1 = new System.Data.OleDb.OleDbCommand(); this.SuspendLayout(); // // button1 // this.button1.Location = new System.Drawing.Point(256, 112);
-
jdkulkarni wrote: Ya, I know. It is not a secure way if used on WEB. but for winform application, i dont think it is a big issue. So, anyone may login on your winform application by using this password ' OR 1=1 -- I see dead pixels Yes, even I am blogging now! -- modified at 8:14 Friday 26th August, 2005
-
jdkulkarni wrote: i dont think it is a big issue. This is the attitude that creates insecure software. The only reason to dynamically create sql statements is if your rdbms doesn't support stored procs, but even then there are ways to mitigate security vulnerabilities.
-
jdkulkarni wrote: i dont think it is a big issue. This is the attitude that creates insecure software. The only reason to dynamically create sql statements is if your rdbms doesn't support stored procs, but even then there are ways to mitigate security vulnerabilities.
-
jdkulkarni wrote: I'm not in support of Dynamic query. I strictly use SP's and encryptions while bulding dynamic query Seems a bit contradictory to me. :doh: :laugh:
-
Just type something with a ' in there and you code will blow up. If you have a text box where I enter a date, and I change the culture of the operating system, you'll get erroneous date. It's really easy to have parameterized queries, and even access has them. Compare this:
string sql = "SELECT * FROM Users WHERE UserName = '" + txtUserName.Text "' AND Password = '" + txtPassword.Text + "'"; OleDbCommand cmd = new OleDbCommand(cmd, conn);to this:
string sql = "SELECT * FROM Users WHERE UserName = ? AND Password = ?"; OleDbCommand cmd = new OleDbCommand(cmd, conn); cmd.Parameters.Add("", txtUserName.Text); // In Access, parameter name doesn't cmd.Parameters.Add("", txtPassword.Text); // matter, it's by positionEasier to read in my opinion, way much more secure and robust, and easier to maintain. -- LuisR
Luis Alonso Ramos Intelectix - Chihuahua, Mexico Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
-
Hi, I did not receive the database. But the code looks ok. I'm sending sample code with this answer. I'm simple code snippet. /*****************FORM1********************************/ using System; using System.Drawing; using System.Collections; using System.ComponentModel; using System.Windows.Forms; using System.Data; namespace dono { /// /// Summary description for Form1. /// public class Form1 : System.Windows.Forms.Form { private System.Windows.Forms.Button button1; private System.Windows.Forms.TextBox textBox1; private System.Data.OleDb.OleDbDataAdapter oleDbDataAdapter1; private System.Data.OleDb.OleDbCommand oleDbSelectCommand1; private System.Data.OleDb.OleDbCommand oleDbInsertCommand1; private System.Data.OleDb.OleDbCommand oleDbUpdateCommand1; private System.Data.OleDb.OleDbCommand oleDbDeleteCommand1; private System.Data.OleDb.OleDbConnection oleDbConnection1; /// /// Required designer variable. /// private System.ComponentModel.Container components = null; public Form1() { // // Required for Windows Form Designer support // InitializeComponent(); // // TODO: Add any constructor code after InitializeComponent call // } /// /// Clean up any resources being used. /// protected override void Dispose( bool disposing ) { if( disposing ) { if (components != null) { components.Dispose(); } } base.Dispose( disposing ); } #region Windows Form Designer generated code /// /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// private void InitializeComponent() { this.button1 = new System.Windows.Forms.Button(); this.textBox1 = new System.Windows.Forms.TextBox(); this.oleDbDataAdapter1 = new System.Data.OleDb.OleDbDataAdapter(); this.oleDbDeleteCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbConnection1 = new System.Data.OleDb.OleDbConnection(); this.oleDbInsertCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbSelectCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbUpdateCommand1 = new System.Data.OleDb.OleDbCommand(); this.SuspendLayout(); // // button1 // this.button1.Location = new System.Drawing.Point(256, 112);
hi im sure glad u replied. sorry for the late reply. just got home. anyway, i just had a look at the code snippet. over here i think im not sure: private void button1_Click(object sender, System.EventArgs e) { Form2 frm = new Form2(); frm.textBox1.Text = "I got the value"; << the textBox1 is in my form2 so i get errors something like this --> textbox1 not found in this form (form1) and cant get access to textbox1 in form2. this.Hide(); frm.Show(); thanks friend once again! =)
-
Just type something with a ' in there and you code will blow up. If you have a text box where I enter a date, and I change the culture of the operating system, you'll get erroneous date. It's really easy to have parameterized queries, and even access has them. Compare this:
string sql = "SELECT * FROM Users WHERE UserName = '" + txtUserName.Text "' AND Password = '" + txtPassword.Text + "'"; OleDbCommand cmd = new OleDbCommand(cmd, conn);to this:
string sql = "SELECT * FROM Users WHERE UserName = ? AND Password = ?"; OleDbCommand cmd = new OleDbCommand(cmd, conn); cmd.Parameters.Add("", txtUserName.Text); // In Access, parameter name doesn't cmd.Parameters.Add("", txtPassword.Text); // matter, it's by positionEasier to read in my opinion, way much more secure and robust, and easier to maintain. -- LuisR
Luis Alonso Ramos Intelectix - Chihuahua, Mexico Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
hi there, thanks for replying! good, just learnt something from u =) --> Just type something with a ' in there and you code will blow up however, what i need help in is i cant load my data well if i were to SEPARATE "Search Controls" (textbox and button for query --> to get data belonging to person with a certain ID no.) with "Textbox Controls" (that is, data is to be loaded into these "Textbox Controls" placed in form2). im able to retrieve selected data when i place "Search Controls" and "Textbox Controls" on the same form but this is not what i want. thanks!
-
hi im sure glad u replied. sorry for the late reply. just got home. anyway, i just had a look at the code snippet. over here i think im not sure: private void button1_Click(object sender, System.EventArgs e) { Form2 frm = new Form2(); frm.textBox1.Text = "I got the value"; << the textBox1 is in my form2 so i get errors something like this --> textbox1 not found in this form (form1) and cant get access to textbox1 in form2. this.Hide(); frm.Show(); thanks friend once again! =)
Hi, Ok, I thought u were waiting for my answer. It seems that Form2 does not contain txtBox1. What u need to do is create a simple textbox in Form2 and make it public. If u do not make it public it will not work. There is another solution. Define a public property which will set the valus of text box. Something like this.. in Form2: private string setValue = string.Empty; public string SetMyValue { set { this.txtBox1.Text = value; } } in Form1's button click: Form2 frm = new Form2(); frm.SetMyValue = "I got the value"; this.Hide(); frm.Show(); :-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET