Help reading data
-
Can anyopne please tell me whyn this isn't reading data from the database? I'm trying to save multiple entries to the database based on checkedlist box selections. I really need my code proofread. Can someone please tell me in code example what I'm doing wrong? Malcolm is hopefully going to help me but since I'm desperate I am trying to get the quickest help possible and not sure if he'll get back to me in time.I've been trying this for a week by the way. It's for ado.net.
SqlConnection adoConn = new SqlConnection("server = ADMMSAS7;database=Dev_RST;Trusted_Connection=yes"); adoConn.Open(); string sql = "select ProgLanguagesDatabase from TechnicalSkills"; SqlCommand adoCmd = new SqlCommand(sql, adoConn); SqlDataReader adoDR = adoCmd.ExecuteReader(); string TechnicalSkills = (string)adoDR["ProgLanguagesDatabase"]; int TechnicalSkillsID = (int)adoDR["TechnicalSkillsID"]; if (adoDR.HasRows) { while (adoDR.Read()) { if (techSkillsCheckListBox2.CheckedItems.Count != 0) { for (int x = 0; x <= techSkillsCheckListBox2.CheckedItems.Count - 1; x++) { if (techSkillsCheckListBox2.CheckedItems[x].Equals(TechnicalSkills)) { sql = "Insert into EmpSkills(EmployeeID,TechnicalSkillsID) values ('" + this.EmployeeID + "','" + techSkillsCheckListBox2.CheckedItems.ToString() + "')";Sianny aka Sharny -
Can anyopne please tell me whyn this isn't reading data from the database? I'm trying to save multiple entries to the database based on checkedlist box selections. I really need my code proofread. Can someone please tell me in code example what I'm doing wrong? Malcolm is hopefully going to help me but since I'm desperate I am trying to get the quickest help possible and not sure if he'll get back to me in time.I've been trying this for a week by the way. It's for ado.net.
SqlConnection adoConn = new SqlConnection("server = ADMMSAS7;database=Dev_RST;Trusted_Connection=yes"); adoConn.Open(); string sql = "select ProgLanguagesDatabase from TechnicalSkills"; SqlCommand adoCmd = new SqlCommand(sql, adoConn); SqlDataReader adoDR = adoCmd.ExecuteReader(); string TechnicalSkills = (string)adoDR["ProgLanguagesDatabase"]; int TechnicalSkillsID = (int)adoDR["TechnicalSkillsID"]; if (adoDR.HasRows) { while (adoDR.Read()) { if (techSkillsCheckListBox2.CheckedItems.Count != 0) { for (int x = 0; x <= techSkillsCheckListBox2.CheckedItems.Count - 1; x++) { if (techSkillsCheckListBox2.CheckedItems[x].Equals(TechnicalSkills)) { sql = "Insert into EmpSkills(EmployeeID,TechnicalSkillsID) values ('" + this.EmployeeID + "','" + techSkillsCheckListBox2.CheckedItems.ToString() + "')";Sianny aka Sharnyfalles01 wrote:
sql = "Insert into EmpSkills(EmployeeID,TechnicalSkillsID) values ('" + this.EmployeeID + "','" + techSkillsCheckListBox2.CheckedItems.ToString() + "')";
At first glance, this is vulnerable to a SQL Injection attack (not why it isn't reading from the database, though).
"Try asking what you want to know, rather than asking a question whose answer you know." - Christian Graus
-
falles01 wrote:
sql = "Insert into EmpSkills(EmployeeID,TechnicalSkillsID) values ('" + this.EmployeeID + "','" + techSkillsCheckListBox2.CheckedItems.ToString() + "')";
At first glance, this is vulnerable to a SQL Injection attack (not why it isn't reading from the database, though).
"Try asking what you want to know, rather than asking a question whose answer you know." - Christian Graus
-
What I meant by my post was that the way you are concatenating strings together into a sql statement is very bad practice. Read this very useful article http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp[^] by Colin Mackay. As far as inserting multiple values from a checklistbox selection,
techSkillsCheckListBox2.CheckedItems.ToString()is suspect. Isn't there supposed to be anItemscollection that you can pull the actual data value from? I am not a 100% but look for something like that."Try asking what you want to know, rather than asking a question whose answer you know." - Christian Graus