urgent Help on C#
-
Hi.. I'm currently doing a web design on the calendar using C# web application.I have created a calendar. I would like to ask that if i click the date on the calendar, can i retrieve the database?? I have tried several times and it seem like is not working. Below is my code, could anyone help me that if i missing on any parts?? Thanks!! My code: . . . using System.Data.SqlClient private void Calendar1_SelectionChanged(object sender, System.EventArgs e) { TBDate1.Text = CAL1.SelectedDate.ToLongDateString(); SqlConnection conn=new SqlConnection("put my connection string here"); string seldate = "Select * from Particulars where DateField = '" + TBDate1.Text + "'"; SqlDataAdapter DA = new SqlDataAdapter(seldate,sqlConnection1); DataSet DS = new DataSet(); DA.Fill(DS); DataTable DT = new DataTable(); DataGrid1.DataSource=DS.Tables[0].DefaultView; DataGrid1.DataBind(); } Thanks for your help..;) Cheers!
-
Hi.. I'm currently doing a web design on the calendar using C# web application.I have created a calendar. I would like to ask that if i click the date on the calendar, can i retrieve the database?? I have tried several times and it seem like is not working. Below is my code, could anyone help me that if i missing on any parts?? Thanks!! My code: . . . using System.Data.SqlClient private void Calendar1_SelectionChanged(object sender, System.EventArgs e) { TBDate1.Text = CAL1.SelectedDate.ToLongDateString(); SqlConnection conn=new SqlConnection("put my connection string here"); string seldate = "Select * from Particulars where DateField = '" + TBDate1.Text + "'"; SqlDataAdapter DA = new SqlDataAdapter(seldate,sqlConnection1); DataSet DS = new DataSet(); DA.Fill(DS); DataTable DT = new DataTable(); DataGrid1.DataSource=DS.Tables[0].DefaultView; DataGrid1.DataBind(); } Thanks for your help..;) Cheers!
First of all, never use string concatenation like that in SQL strings. All I have to do as an attacker is set the
TBDate1.Textfield (either in the page or via an HTTP GET or POST) to' or 1=1; delete from Particulars; --and your table is gone. With probing I could do worse, such as steal credit card information or other private information, etc. This is called a SQL injection attack and is one of the most overlooked vulnerabilities. Use parameterized queries using theSqlCommand.Parameterscollection property. That's also the answer to the problem here. Dates are typically surrounded by "#" (depending on the database management system) but using parameters eliminates having to know that:SqlCommand cmd = conn.CreateCommand();
cmd.CommandText = "SELECT * FROM Particulars WHERE DateField = @Date";
cmd.Parameters.Add("@Date", SqlDbType.DateTime).Value = DateTime.Parse(TBDate1.Text);
// ...Add some error-handling, though, since
DateTime.Parsecould fail if incorrectly formatted. This posting is provided "AS IS" with no warranties, and confers no rights. Software Design Engineer Developer Division Customer Product-lifecycle Experience Microsoft [My Articles] [My Blog]