parameterized query
-
sorry, i guess my information/description of problem is not clear so u are still not 100% clear about what im doing, is that so? i know u are more expert than me, while im just a beginner. but somehow, i suppose the above solution still will not solve my problem. would u mind if i send u some sample codes and run my codes to see what im actually doing? i've trouble explaining to u clearly as im not sure of those terms/acronyms.
-
i emailed u. not sure if u will be looking at my email. if u are, i've an access db attached to the email. please open table named Patient. feel free to ask me if you are unsure about anything. thank you really much!:-D
Hi, I did not receive the database. But the code looks ok. I'm sending sample code with this answer. I'm simple code snippet. /*****************FORM1********************************/ using System; using System.Drawing; using System.Collections; using System.ComponentModel; using System.Windows.Forms; using System.Data; namespace dono { /// /// Summary description for Form1. /// public class Form1 : System.Windows.Forms.Form { private System.Windows.Forms.Button button1; private System.Windows.Forms.TextBox textBox1; private System.Data.OleDb.OleDbDataAdapter oleDbDataAdapter1; private System.Data.OleDb.OleDbCommand oleDbSelectCommand1; private System.Data.OleDb.OleDbCommand oleDbInsertCommand1; private System.Data.OleDb.OleDbCommand oleDbUpdateCommand1; private System.Data.OleDb.OleDbCommand oleDbDeleteCommand1; private System.Data.OleDb.OleDbConnection oleDbConnection1; /// /// Required designer variable. /// private System.ComponentModel.Container components = null; public Form1() { // // Required for Windows Form Designer support // InitializeComponent(); // // TODO: Add any constructor code after InitializeComponent call // } /// /// Clean up any resources being used. /// protected override void Dispose( bool disposing ) { if( disposing ) { if (components != null) { components.Dispose(); } } base.Dispose( disposing ); } #region Windows Form Designer generated code /// /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// private void InitializeComponent() { this.button1 = new System.Windows.Forms.Button(); this.textBox1 = new System.Windows.Forms.TextBox(); this.oleDbDataAdapter1 = new System.Data.OleDb.OleDbDataAdapter(); this.oleDbDeleteCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbConnection1 = new System.Data.OleDb.OleDbConnection(); this.oleDbInsertCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbSelectCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbUpdateCommand1 = new System.Data.OleDb.OleDbCommand(); this.SuspendLayout(); // // button1 // this.button1.Location = new System.Drawing.Point(256, 112);
-
jdkulkarni wrote: Ya, I know. It is not a secure way if used on WEB. but for winform application, i dont think it is a big issue. So, anyone may login on your winform application by using this password ' OR 1=1 -- I see dead pixels Yes, even I am blogging now! -- modified at 8:14 Friday 26th August, 2005
-
jdkulkarni wrote: i dont think it is a big issue. This is the attitude that creates insecure software. The only reason to dynamically create sql statements is if your rdbms doesn't support stored procs, but even then there are ways to mitigate security vulnerabilities.
-
jdkulkarni wrote: i dont think it is a big issue. This is the attitude that creates insecure software. The only reason to dynamically create sql statements is if your rdbms doesn't support stored procs, but even then there are ways to mitigate security vulnerabilities.
-
jdkulkarni wrote: I'm not in support of Dynamic query. I strictly use SP's and encryptions while bulding dynamic query Seems a bit contradictory to me. :doh: :laugh:
-
Just type something with a ' in there and you code will blow up. If you have a text box where I enter a date, and I change the culture of the operating system, you'll get erroneous date. It's really easy to have parameterized queries, and even access has them. Compare this:
string sql = "SELECT * FROM Users WHERE UserName = '" + txtUserName.Text "' AND Password = '" + txtPassword.Text + "'"; OleDbCommand cmd = new OleDbCommand(cmd, conn);to this:
string sql = "SELECT * FROM Users WHERE UserName = ? AND Password = ?"; OleDbCommand cmd = new OleDbCommand(cmd, conn); cmd.Parameters.Add("", txtUserName.Text); // In Access, parameter name doesn't cmd.Parameters.Add("", txtPassword.Text); // matter, it's by positionEasier to read in my opinion, way much more secure and robust, and easier to maintain. -- LuisR
Luis Alonso Ramos Intelectix - Chihuahua, Mexico Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
-
Hi, I did not receive the database. But the code looks ok. I'm sending sample code with this answer. I'm simple code snippet. /*****************FORM1********************************/ using System; using System.Drawing; using System.Collections; using System.ComponentModel; using System.Windows.Forms; using System.Data; namespace dono { /// /// Summary description for Form1. /// public class Form1 : System.Windows.Forms.Form { private System.Windows.Forms.Button button1; private System.Windows.Forms.TextBox textBox1; private System.Data.OleDb.OleDbDataAdapter oleDbDataAdapter1; private System.Data.OleDb.OleDbCommand oleDbSelectCommand1; private System.Data.OleDb.OleDbCommand oleDbInsertCommand1; private System.Data.OleDb.OleDbCommand oleDbUpdateCommand1; private System.Data.OleDb.OleDbCommand oleDbDeleteCommand1; private System.Data.OleDb.OleDbConnection oleDbConnection1; /// /// Required designer variable. /// private System.ComponentModel.Container components = null; public Form1() { // // Required for Windows Form Designer support // InitializeComponent(); // // TODO: Add any constructor code after InitializeComponent call // } /// /// Clean up any resources being used. /// protected override void Dispose( bool disposing ) { if( disposing ) { if (components != null) { components.Dispose(); } } base.Dispose( disposing ); } #region Windows Form Designer generated code /// /// Required method for Designer support - do not modify /// the contents of this method with the code editor. /// private void InitializeComponent() { this.button1 = new System.Windows.Forms.Button(); this.textBox1 = new System.Windows.Forms.TextBox(); this.oleDbDataAdapter1 = new System.Data.OleDb.OleDbDataAdapter(); this.oleDbDeleteCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbConnection1 = new System.Data.OleDb.OleDbConnection(); this.oleDbInsertCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbSelectCommand1 = new System.Data.OleDb.OleDbCommand(); this.oleDbUpdateCommand1 = new System.Data.OleDb.OleDbCommand(); this.SuspendLayout(); // // button1 // this.button1.Location = new System.Drawing.Point(256, 112);
hi im sure glad u replied. sorry for the late reply. just got home. anyway, i just had a look at the code snippet. over here i think im not sure: private void button1_Click(object sender, System.EventArgs e) { Form2 frm = new Form2(); frm.textBox1.Text = "I got the value"; << the textBox1 is in my form2 so i get errors something like this --> textbox1 not found in this form (form1) and cant get access to textbox1 in form2. this.Hide(); frm.Show(); thanks friend once again! =)
-
Just type something with a ' in there and you code will blow up. If you have a text box where I enter a date, and I change the culture of the operating system, you'll get erroneous date. It's really easy to have parameterized queries, and even access has them. Compare this:
string sql = "SELECT * FROM Users WHERE UserName = '" + txtUserName.Text "' AND Password = '" + txtPassword.Text + "'"; OleDbCommand cmd = new OleDbCommand(cmd, conn);to this:
string sql = "SELECT * FROM Users WHERE UserName = ? AND Password = ?"; OleDbCommand cmd = new OleDbCommand(cmd, conn); cmd.Parameters.Add("", txtUserName.Text); // In Access, parameter name doesn't cmd.Parameters.Add("", txtPassword.Text); // matter, it's by positionEasier to read in my opinion, way much more secure and robust, and easier to maintain. -- LuisR
Luis Alonso Ramos Intelectix - Chihuahua, Mexico Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
hi there, thanks for replying! good, just learnt something from u =) --> Just type something with a ' in there and you code will blow up however, what i need help in is i cant load my data well if i were to SEPARATE "Search Controls" (textbox and button for query --> to get data belonging to person with a certain ID no.) with "Textbox Controls" (that is, data is to be loaded into these "Textbox Controls" placed in form2). im able to retrieve selected data when i place "Search Controls" and "Textbox Controls" on the same form but this is not what i want. thanks!
-
hi im sure glad u replied. sorry for the late reply. just got home. anyway, i just had a look at the code snippet. over here i think im not sure: private void button1_Click(object sender, System.EventArgs e) { Form2 frm = new Form2(); frm.textBox1.Text = "I got the value"; << the textBox1 is in my form2 so i get errors something like this --> textbox1 not found in this form (form1) and cant get access to textbox1 in form2. this.Hide(); frm.Show(); thanks friend once again! =)
Hi, Ok, I thought u were waiting for my answer. It seems that Form2 does not contain txtBox1. What u need to do is create a simple textbox in Form2 and make it public. If u do not make it public it will not work. There is another solution. Define a public property which will set the valus of text box. Something like this.. in Form2: private string setValue = string.Empty; public string SetMyValue { set { this.txtBox1.Text = value; } } in Form1's button click: Form2 frm = new Form2(); frm.SetMyValue = "I got the value"; this.Hide(); frm.Show(); :-D Jayant D. Kulkarni Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET