DataBase Selects and other lovely things :)
-
Today I was looking through the code of student who is working on some project for our company. He's trying to make a new user admininstration application. In his application he is loading the users from the database in a treeview. Ok, so far so good. Nothing is wrong. Now I've tried to load the user informations and wondered why the data didn't match to the selected user. The following code snippet is the reason.
string query = "ID = " + this.userTree.SelectedNode.Index.ToString(); DataRow[] foundi = tableAdapterUsers.Select(query);He's making a Select on the Database expecting that the TreeViewID is equal the Database ID. :doh: I spend the nearly the whole morning to find this. I'm wishing everbody a nice weekend greetings pdluke -
Today I was looking through the code of student who is working on some project for our company. He's trying to make a new user admininstration application. In his application he is loading the users from the database in a treeview. Ok, so far so good. Nothing is wrong. Now I've tried to load the user informations and wondered why the data didn't match to the selected user. The following code snippet is the reason.
string query = "ID = " + this.userTree.SelectedNode.Index.ToString(); DataRow[] foundi = tableAdapterUsers.Select(query);He's making a Select on the Database expecting that the TreeViewID is equal the Database ID. :doh: I spend the nearly the whole morning to find this. I'm wishing everbody a nice weekend greetings pdlukeYouch. When I build
TreeNodes fromDataRows I store the originalDataRowin theTagfield of theTreeNodefor future reference. -
Today I was looking through the code of student who is working on some project for our company. He's trying to make a new user admininstration application. In his application he is loading the users from the database in a treeview. Ok, so far so good. Nothing is wrong. Now I've tried to load the user informations and wondered why the data didn't match to the selected user. The following code snippet is the reason.
string query = "ID = " + this.userTree.SelectedNode.Index.ToString(); DataRow[] foundi = tableAdapterUsers.Select(query);He's making a Select on the Database expecting that the TreeViewID is equal the Database ID. :doh: I spend the nearly the whole morning to find this. I'm wishing everbody a nice weekend greetings pdlukepdluke wrote:
string query = "ID = " + this.userTree.SelectedNode.Index.ToString();
It is interesting to see people make sql queries this way and expose themselves to SQL injections. Parameterized queries are not only safer, but also easier, IMHO.
-
pdluke wrote:
string query = "ID = " + this.userTree.SelectedNode.Index.ToString();
It is interesting to see people make sql queries this way and expose themselves to SQL injections. Parameterized queries are not only safer, but also easier, IMHO.
Nemanja Trifunovic wrote:
Parameterized queries are not only safer, but also easier
I'm not suggesting I agree with the method shown in by the OP, but it is much easier to keep a source history if the queries are in the code rather than stored procedures and also less likely to miss an update when releasing a new version of code. That said, i use parameterized queries:laugh: Pualee
-
Nemanja Trifunovic wrote:
Parameterized queries are not only safer, but also easier
I'm not suggesting I agree with the method shown in by the OP, but it is much easier to keep a source history if the queries are in the code rather than stored procedures and also less likely to miss an update when releasing a new version of code. That said, i use parameterized queries:laugh: Pualee
You don't have to use stored procedures to use parameterized queries, just put parameters in your queries. "ID = @id" instead of "ID = '" + id.ToString() + "'"
Using the GridView is like trying to explain to someone else how to move a third person's hands in order to tie your shoelaces for you. -Chris Maunder
-
Nemanja Trifunovic wrote:
Parameterized queries are not only safer, but also easier
I'm not suggesting I agree with the method shown in by the OP, but it is much easier to keep a source history if the queries are in the code rather than stored procedures and also less likely to miss an update when releasing a new version of code. That said, i use parameterized queries:laugh: Pualee
Pualee wrote:
if the queries are in the code rather than stored procedures
I never mentioned stored procedures :~ . Parameterized queries can be kept in the source code.
-
Pualee wrote:
if the queries are in the code rather than stored procedures
I never mentioned stored procedures :~ . Parameterized queries can be kept in the source code.
-
For me, writing on this forum is always a tradeoff between looking stupid and learning more... Thanks for the clarification:|
We use Stored Procedures at the organization I work for, but they have to be created in VS (which is under Source Control) before they can be created on the test database (with each release we submit release notes with files we've modified, created or removed and the person responsible for the builds handles it from there) that way the stored procedures are also under source control.
"Okay, I give up: which is NOT a real programming language????" Michael Bergman
"Well yes, it is an Integer, but it's a metrosexual Integer. For all we know, under all that hair gel it could be a Boolean." Tom Welch
"Let's face it, the average computer user has the brain of a Spider Monkey." Bill Gates
-
pdluke wrote:
string query = "ID = " + this.userTree.SelectedNode.Index.ToString();
It is interesting to see people make sql queries this way and expose themselves to SQL injections. Parameterized queries are not only safer, but also easier, IMHO.
Or.... just write a function to check all your input fields before processing them? Little things... like making sure numeric values are in "int" and strings are properly quoted out and escaped before concatenating the final SQL string works fine too. Just gotta be careful.