|
jdkulkarni wrote:
i dont think it is a big issue.
This is the attitude that creates insecure software. The only reason to dynamically create sql statements is if your rdbms doesn't support stored procs, but even then there are ways to mitigate security vulnerabilities.
|
|
|
|
|
The person is working on ACCESS. And anyway I'm not in support of Dynamic query. I strictly use SP's and encryptions while bulding dynamic query. I think it should end this discussion now.
Jayant D. Kulkarni
Brainbench Certified Software Engineer in C#, ASP.NET, .NET Framework and ADO.NET
|
|
|
|
|
jdkulkarni wrote:
I'm not in support of Dynamic query.
I strictly use SP's and encryptions while bulding dynamic query
Seems a bit contradictory to me.
|
|
|
|
|
Just type something with a ' in there and you code will blow up. If you have a text box where I enter a date, and I change the culture of the operating system, you'll get erroneous date.
It's really easy to have parameterized queries, and even access has them. Compare this:
string sql = "SELECT * FROM Users WHERE UserName = '" + txtUserName.Text "' AND Password = '" + txtPassword.Text + "'";
OleDbCommand cmd = new OleDbCommand(cmd, conn); to this:
string sql = "SELECT * FROM Users WHERE UserName = ? AND Password = ?";
OleDbCommand cmd = new OleDbCommand(cmd, conn);
cmd.Parameters.Add("", txtUserName.Text);
cmd.Parameters.Add("", txtPassword.Text); Easier to read in my opinion, way much more secure and robust, and easier to maintain.
-- LuisR
Luis Alonso Ramos
Intelectix - Chihuahua, Mexico
Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
|
|
|
|
|
hi there,
thanks for replying!
good, just learnt something from u =) --> Just type something with a ' in there and you code will blow up
however, what i need help in is i cant load my data well if i were to SEPARATE "Search Controls" (textbox and button for query --> to get data belonging to person with a certain ID no.) with "Textbox Controls" (that is, data is to be loaded into these "Textbox Controls" placed in form2).
im able to retrieve selected data when i place "Search Controls" and "Textbox Controls" on the same form but this is not what i want.
thanks!
|
|
|
|
|
1.I have two text boxes. The text boxes have numbers in them.
2.I have an "Add" button.
3.The two values in the text boxes correspond to the generic class I have added to my project->
Lets say double x and y (private) with Set Get methods (public).
1. How do I get the text to convert to double?
2.Where do I put the code?
3.Any other advice I'd appreciate. THanks!
|
|
|
|
|
double d = 0.0;
try
{
d = Convert.ToDouble(textBox.Text);
}
catch(FormatException)
{
}
I hope this helps!
-- LuisR
Luis Alonso Ramos
Intelectix - Chihuahua, Mexico
Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
-- modified at 22:49 Thursday 25th August, 2005
|
|
|
|
|
As we used to say in Boston (1975)
Luis! Luis! Luis!
many thanks.......
|
|
|
|
|
-- LuisR
Luis Alonso Ramos
Intelectix - Chihuahua, Mexico
Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
|
|
|
|
|
Hi
I am calling a DB2 stored procedure with 3 parameters. The last one is an inout parameter in which a value is returned (SQLCODE). I am using the DB2DataAdapter object's fill method to return a dataset. I am getting the results fine in the dataset. However, how can I retrieve the inout parameter's value?
Any ideas?
|
|
|
|
|
Just use this while calling the SP,
DB2Parameter param = new DB2Parameter("@param", DB2Type.Int);
param.Direction = System.Data.ParameterDirection.InputOutput;
|
|
|
|
|
Yeah, I am doing all that. But how do I retrieve the parameter's value after the call? I only see the result tables in the dataset. When I checked the db2parameter object for this parameter, I see the old value. I am sure my stored procedure passes back the sqlcode in that parameter. I don't see it.
Any more suggestinos?
|
|
|
|
|
Buddy I tested the same for SqlDataAdapter, it works just fine.
Can you please post the code. May be you missed out something?
|
|
|
|
|
Hi
Here is my code.
================
<br />
...<br />
DB2Parameter[] db2params = new DB2Parameter[3];<br />
<br />
BuildParameters(db2params, new object[] {"LSFEEDCD", DB2Type.Char, 4,"RABF"} , new object[]{"LSINVDT", DB2Type.Date, 8,"20041100"},new object[]{"LSSQLCD", DB2Type.SmallInt, 2,20});<br />
<br />
DB2Helper.FillDataset(txtConnectionString.Text,"TTEZQ.ZQSPNS4", ds, new string[] {"Gateway_Test"},db2params);<br />
...<br />
..<br />
BuildParameters Method definition
==================================
<br />
public static void BuildParameters(DB2Parameter[] DB2Params, params object[] parameters)<br />
{<br />
for (int i=0; i <parameters.Length;i++)<br />
{<br />
object a = ((object[])(object)parameters[i])[0];<br />
object b = ((object[])(object)parameters[i])[1];<br />
object c = ((object[])(object)parameters[i])[2];<br />
object d = ((object[])(object)parameters[i])[3];<br />
DB2Params[i] = new DB2Parameter((string)a,(IBM.Data.DB2.DB2Type)b,(int)c);<br />
DB2Params[i].Direction = ParameterDirection.InputOutput;<br />
DB2Params[i].Value = d;<br />
}<br />
}<br />
I am interested in the third parameter where I pass the value as 20. I see the old value even after the call.
I did do a step by step debug within the DB2Helper class of the application block and I was able to see the returned value of the parameter in the filldataset method of that class, but once I return back to my class, I see the old value.
Any thoughts?
Thanks
|
|
|
|
|
You don't get the value of the parameter in the DataSet, but you have to get it from the Parameter collection of the Command object:
DB2Command cmd = new DB2Command("proc name", conn);
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("InOutParam", inputValue).Direction = ParameterDireciton.InputOutput;
DB2DataAdapter da = new DB2DataAdapter(cmd);
da.Fill(ds);
int outputValue = (int) cmd.Parameters[0].Value; I hope this helps!
-- LuisR
Luis Alonso Ramos
Intelectix - Chihuahua, Mexico
Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
-- modified at 23:20 Thursday 25th August, 2005
|
|
|
|
|
Thanks Buddy! I got it working finally. Guess what!I was calling the wrong overload for that method. That was a very silly mistake that I had overlooked.
However, it's strange that the overload which I called by mistake (which takes a series of parameter values and uses the discoverparameter to find the storedprocedure parameters and assigns the values) does not return me the updated value for the inout parameter. May be I dont know where to look for. becos we are just passing the paraemter values in a params object. Do you have any idea abt this?
Thanks
|
|
|
|
|
Hi.
I have XML file events.xml:
<events>
<event>
<date>2005-08-25</date>
<title>...</title>
...
</event>
...
</events>
And events.xsd XML Shema file:
<xs:schema>
...
<xs:element name="date" type="xs:date">
...
</xs:shema>
Node <date> has "xs:date" type (format is YYYY-MM-DD).
Now i need to load events.xml data into DataSet (i not use strog typed DataSet). After that i need to filter my data. For example, i need to receive all events (rows from DataTable) in 2005 September.
How to retrieve these rows? How to specify DataTable.Select() method? I think code like this "myDataSet.Tables[0].Select("YEAR(Date) = 2005 AND MONTH(Date) = 09")" will not work? I might be wrong...
Thanks
Tadas Sukys
-- modifed at 17:11 Thursday 25th August, 2005
|
|
|
|
|
IN my C# apps, I use ArrayList's to store many types of objects. Of course when I pull anything out of any ArrayList I have to employ a cast. For example:
ArrayList listOfStrings();
:
String myString = (String)listOfStrings[3];
I end of doing so much casting! Is that typical? Can I avoid all the casting? Or is there some fundamental technique using ArrayLists that I am missing?
Thanks!
Mark Mokris
|
|
|
|
|
You want to create your own strong typed collection by deriving from System.Collections.CollectionBase class. Check the MSDN for CollectionBase to see how to implement this (override Add, Remove, this[] etc methods).
|
|
|
|
|
I think the question was is there anything wrong with all of the casting.
I also employ the arraylist for the same purpose, so I'd like to hear from the C# gurus too.
|
|
|
|
|
Well, generics will help if you're using VS 2005, but with the current version, you're stuck with the cast or using the as syntax.
Of course if you are iterating over the items in an ArrayList , you can use foreach and that is nicer.
foreach( string s in arrayListOfStrings )
Console.WriteLine( "The list contains {0}", s );
Matt Gerrans
-- modified at 22:59 Thursday 25th August, 2005
|
|
|
|
|
It depends on what types of objects you are inserting in the ArrayList . If you are inserting reference types (basically any object) there's a very slight, almost negligible, performance penalty in casting to and from object .
On the other hand, if you insert value types (int s, double s, DateTime s and so on) in the ArrayList , the performance penalty is big because when you put a value type in an object variable, the compiler has to create a dummy object to contain the value and insert a reference to that object (a process called boxing). When you cast an object to a value type (when getting an item from the ArrayList for example) the process is called unboxing and is the exact opposite: go get the object and take the value from inside it.
An advantage of using specialized collections derived from CollectionBase is that the compiler does type checking for you. You usually can't assign an object to a typed variable without casting, but the other way around is not true: you can assign a variable of any type to a object variable. With a specialized collection, you can't add items of other types without the compiler complaining.
-- LuisR
Luis Alonso Ramos
Intelectix - Chihuahua, Mexico
Not much here: My CP Blog!
The amount of sleep the average person needs is five more minutes. -- Vikram A Punathambekar, Aug. 11, 2005
-- modified at 23:13 Thursday 25th August, 2005
|
|
|
|
|
|
My experience is adding objects with the same type to one arraylist.
if casting is needed, for instance, to a string array. you can use this statement:
string[] myString = ( string[] )listOfStrings.toArray( typeof(string ));
|
|
|
|
|
A have C# application which is required to do a specific task
on a scheduled basis..i.e. may be once a day ,twice or thrice daily...
The application needs to be up all time and reads a scheduled timings information through a DB table and updates its scheduled time settings accordingly..
Any idea how to implement a simple customizable scheduler for this which
can reconfigure it self for the schedule and runs ,calls the specified funtion
that does the job...
Thanks in advance
Mohit
|
|
|
|