|
mrkeivan wrote: leDbCommand Cmd = new OleDbCommand("Select PassCode from Password where UserID = '" + ID.Text + "'", VerificationConn);
Concatenating text to create SQL queries is a huge security risk. You should use parameterized queries. See this article for more information:
SQL Injection Attacks and Some Tips on How to Prevent Them[^]
Luis Alonso Ramos
Intelectix
Chihuahua, Mexico Not much here: My CP Blog!
|
|
|
|
|
Hey, two questions guys:
1. Visio - Database Model Diagram: I have two tables:
table 1 (Parent): Group {PK: GroupUIN, Attributes: Name, Desc}
table 2 (Child): User {PK: UserUIN, Attributes: ParentGroupUIN, Name, Desc}
I connected the two entities with a "Relationship". Under "Miscellaneous" tab, I specified relationship cardinality: One Group can related to "Zero or More" User. - I am having a hard to "show" cardinality in ER diagram (as supposed to just under "Miscellaneous" tab.
2. How can I generate SQL scripts from Visio ER/Database Diagrams?
Thanks.
|
|
|
|
|
I have an Algoritim in old C/CPP code that will update tables in an Access database. The database is very large and many records are affected. Unfortunately the MaxLocksPerFile Limit gets exceeded. After some research i have a bit more information. That limit can be changed in the registry. The default is 9500 locks. I was wondering if anyone knew of a way to get the current MaxLocksPerFile count. I would like to be able to see how the MaxLocksPerFile count changes as records are being modified. I would like to be able to get around this error without needing to change that limit if at all possible.More information is available at http://support.microsoft.com/kb/q173006/ if anybody else is having a similar problem. Any thoughts or ideas would be greatly appreciated.
|
|
|
|
|
Hello!
I have a problem with accomplishing task mentioned in a subject.
I want to transfer data from MS SQL server database to Ms Access database in Visual Basic.
Till this moment I only achieved to create an empty MS Access database (only structure:tables with fields, but without types). This is done with this simple code:
<br />
Set rs = dataEnv.sqlCon.OpenSchema(adSchemaTables, criteriaTables)<br />
<br />
While Not rs.EOF<br />
criteriaFields(2) = rs!TABLE_NAME<br />
Set cs = dataEnv.sqlCon.OpenSchema(adSchemaColumns, criteriaFields)<br />
Set msTbl = msDb.CreateTableDef(rs!TABLE_NAME)<br />
While Not cs.EOF<br />
With msTbl<br />
.Fields.Append .CreateField(cs!COLUMN_NAME, dbLong)<br />
End With<br />
cs.MoveNext<br />
Wend<br />
msDb.TableDefs.Append msTbl<br />
rs.MoveNext<br />
Wend<br />
msDb.Close<br />
Can anyone tell me how to copy contents of tables?
Thanks in advance!
Greetings!
Daniel
|
|
|
|
|
private void button1_Click(object sender, EventArgs e)
{
string strDSN = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=c:\\db4.MDB";
string strSQL = "SELECT * FROM ta1";
OleDbConnection myConn = new OleDbConnection(strDSN);
OleDbDataAdapter myCmd = new OleDbDataAdapter(strSQL, myConn);
DataSet dtSet = new DataSet();
string sqlQuery = "SELECT Name,Password FROM ta1 where Name = '" + textBox1.Text.ToString() + "' AND Password= '" + textBox2.Text.ToString() + "'";
myCmd.SelectCommand.CommandText = sqlQuery;
int numberOfRowsFeched = myCmd.Fill(dtSet, "ta1");
if (numberOfRowsFeched > 0)
{
try
{
myCmd.UpdateCommand.CommandText = "UPDATE Users SET " + "Password = '" +textBox3.Text + "'" + " WHERE Name = '" + textBox1.Text + "'";
myCmd.UpdateCommand.Connection = myConn;
myCmd.UpdateCommand.ExecuteNonQuery();
MessageBox.Show("Record updated Successfully");
textBox1.Text = "";
textBox2.Text = "";
textBox3.Text = "";
}
catch (System.Data.OleDb.OleDbException exp)
{
myConn.Close();
MessageBox.Show(exp.Message);
}
}
else
{
MessageBox.Show("wrong Name Or Password", "Password", MessageBoxButtons.OK, MessageBoxIcon.Information);
textBox1.Text = "";
textBox2.Text = "";
textBox3.Text = "";
}
message : http://www.cpestudents.net/upload/up/54.gif[^]
|
|
|
|
|
this keywords SET " + "Password as sql command in result is SETPassword, you have to separate by space, just set space character before Password like this
SET " + " Password
_____________________
Proud to be Albanian
_____________________
|
|
|
|
|
mm310 wrote: what is wrong in this code
You have left it wide open to SQL Injection Attacks. While the other response you got will apparently fix your problem it still leaves your code open to attack.
You should read: SQL Injection Attacks and Tips on How to Prevent Them[^]
This will explain a better way to perform your queries that will solve your problem AND make your code safer - Especially for code dealing with a login. What you have here is unforgivable and any tutorial that you have read that suggests you build SQL this way should be recalled and the author lined up and shot! (in my opinion). No wonder Software Developers have a bad reputation when it comes to security if developers think that concatenating strings together to form a SQL query is acceptable on a day-to-day basis. String concatenation as a way to build a SQL statement should only be done after careful consideration that there is absolutely no other way to achieve the desired result.
Sorry for my rant. It isn't your fault - You've obviously read the wrong tutorials and have picked up some extremely dangerous habits.
ColinMackay.net
Scottish Developers are looking for speakers for user group sessions over the next few months. Do you want to know more?
|
|
|
|
|
Hi!,
Most of you will be aware of a critical update on Sql server from Microsoft, it is called SQLCritUpdPkg_ENU.exe, I executed this exe, but it was unsuccessful. I am a local administrator on this machine.
Is there someone out there who can help! me on this please!!!!!?
Thank you.
happy coding!
|
|
|
|
|
What SP do you have installed on your machine? SP3 or later are secured aginst the worm so they don't need the update you want to install.
André
'A programmer is just a tool which converts caffeine into code'
|
|
|
|
|
I am running SP4 on Sql 2000.
Original Problem:I was unable to connect to my dev Sql server from my UAT enterprise manager. It came up with the error message as follows: SQL Server does not exist or access denied. ConnectionOpen(Connect()).I did a lot of googling but of no avail, finally I got to this web page http://www.doughughes.net/index.cfm?event=ViewEntry&entryId=91.
Then I downloaded SQLCritUpdWiz_ENU.exe and tried to execute it. I am a System administrator on this machine. However, I am unable to run this, it comes up with a message, Critical Update Unsuccessful.
System Info:My OS is win XP Pro(SP2) and SQL server is 2K SP4.
I have also tried to connect to the SQL server using port numbers via Server Network Utility and Client Network Utility , it didn't work.
Any more ideas?
happy coding!
|
|
|
|
|
The update is for SP1 and Sp2, not for SP4 of SQL Server 2000.
Do you have access to the sql server from other tools? Ist the connectionstring correct?
I never had such problems with SQL Server 2000 (german, devoloper Edit. + Sp3).
André
'A programmer is just a tool which converts caffeine into code'
|
|
|
|
|
Hey guess what !!!!!!
I am in Cloud Nine..........I have cracked it.
When you have a default instance of Sql Server 2000 on win xp pro (SP2), you need to change security settings in the exception tab of the Windows firewall.
Have a look at this article , this was like a missile to kill my frustration.
"http://support.microsoft.com/kb/841251/"
happy coding!
|
|
|
|
|
Suj_78 wrote: When you have a default instance of Sql Server 2000 on win xp pro (SP2), you need to change security settings in the exception tab of the Windows firewall.
Thats why I did't have trouble. I disabled the firewall and so I don't have this problems. So happy SQLing
'A programmer is just a tool which converts caffeine into code'
|
|
|
|
|
Why can't I do this: (This is within a stored proc)
DECLARE @STREAM varchar(2)
DECLARE @METHOD_VERSION VARCHAR(10)
SET @STREAM = dbo.udfSplit (@Msg, ',', 2)
CASE LEFT(@STREAM,1)
WHEN '7' THEN SET @METHOD_VERSION = 'CX'
WHEN '8' SET @METHOD_VERSION = 'DX'
END
Is my understanding that all Switch statements in SQL must be within a query statement correct?
If so it will explain why this wont work.
|
|
|
|
|
evilnoodle wrote: Is my understanding that all Switch statements in SQL must be within a query statement correct?
Yes.
evilnoodle wrote: If so it will explain why this wont work.
Because it isn't in a query statement context. Your are using it in a control flow context
Try something like this:
SET @METHOD_VERSION = CASE LEFT(@STREAM, 1) WHEN '7' THEN 'CX' WHEN '8' THEN 'DX' END
ColinMackay.net
Scottish Developers are looking for speakers for user group sessions over the next few months. Do you want to know more?
|
|
|
|
|
How to display an image in a datagrid in vb.net from the SQL Server where the image is stored in byte form in IMAGE field...
|
|
|
|
|
Does anybody know open source list of countries, cities, states in varius languages in any DB format (SQL SERVER, ORACLE, ACCESS, MYSQL etc...)?
Thanks in advance!
ilan.
|
|
|
|
|
Hi.
I use VS 2005 and ADO.NET 2.0.
The simplest example:
I have DataSet with one DataTable ('Person')
The 'Person' Table has 3 columns:
1.ID -> Autoincrement=True
2.LastName
3.FirstName
On my form I have DataGridView Control and BindingNavigator.
Using BindingNavigator's 'AddNewItem' button, I add new
DataRow to my 'Person' Table then
ID = 1 and i repeat this 3 times.
After that I use BindingNavigator's 'DeleteItem' to remove
last DataRow (ID = 3) from 'Person' Table.
Now, when I add NewItem once again I have new DataRow with
ID = 4.
How can I reset this value back to '3' in autoincrement column?
Somebody can help me, please?
Thanks.
|
|
|
|
|
I have no idea how to accomplish this with either an Autoincrement property or using triggers with sequences. But I do know that since these types of columns are mostly used for primary keys, where the values typically have no relationship to the rest of the data in the row, what reason do you have for wanting some control on the next value after some delete operation has occurred. Consider as well, what happens when you delete where ID = 2; Should the next add do an insert with a value of 2 and then the next add use 4?
Chris Meech
I am Canadian. [heard in a local bar]
When I want privacy, I'll close the bathroom door. [Stan Shannon]
BAD DAY FOR: Friendly competition, as Ford Motor Co. declared the employee parking lot at its truck plant in Dearborn, Mich., off limits to vehicles built by rival companies. Workers have to drive a Ford to work, or park across the street. [CNNMoney.com]
Nice sig! [Tim Deveaux on Matt Newman's sig with a quote from me]
|
|
|
|
|
Typically you shouldn't need to set it back to '3' (and if you DO need to set it back, then there may be a fault in your design). It is common to have these "holes" in key/identity columns in databases. My recommendation would be don't worry about it... leave it as '4'.
~Steve
www.roundpolygons.com
|
|
|
|
|
Hi Guys.
Thank you for all respondings.
Answering to Steve's question: My only problem was,
if I do everything OK (just out of sheer curiosity).
Now I know that it's a problem which isn't open to discussion.
Once again Thanks.
|
|
|
|
|
Hi database people,
If I have a table with one columm (col) and these rows:
A
A
B
C
C
C
NULL
NULL
and I run the query:
select col, count(col) group by col
I get:
A 2
B 1
C 3
NULL 0
How would I change it so that I got the count of nulls (ie. 2) rather than 0?
Any help appreciated!
Regards,
Rob Philpott.
|
|
|
|
|
Give NULL a value that can be counted.
SELECT
ISNULL(col,'NULL') AS col,
COUNT(col)
GROUP BY
col
|
|
|
|
|
yeah, that would do it. Thanks for the reply but if I want to see the count of null alongside the other results?
eg.
A 2
B 1
C 3
NULL 2
?
Regards,
Rob Philpott.
|
|
|
|
|
I believe it does put it alongside.
|
|
|
|