|
Thanks for the link. Nice to know, but unfortunaly it does not answer my question.
|
|
|
|
|
Richard A. Abbott wrote: Also have a read of ...
http://www.securitypronews.com/news/securitynews/spn-45-20061019MaliciousCodeInjectionNotJustforSQLAnymore.html#resume[^]
Another article worth bookmarking
|
|
|
|
|
GentooBoxX wrote: is sql parameters really 100% secure, and how does it work?
As far as I know it is secure. I haven't run into any security breaches using SQL parameters. I pretty much stick to stored procedures. You may want to contact the author of the article I mentioned
Paul
|
|
|
|
|
I have never been able to execute an SQL injection attack on any on my applications that uses SQL parameters, but there is always someone better knowing out there
I will contact the author of the article you mentioned, did not even think of that for some weird reason.
|
|
|
|
|
GentooBoxX wrote: I have never been able to execute an SQL injection attack on any on my applications that uses SQL parameters, but there is always someone better knowing out there
Same here and I'd like to also know if it's 100% secure. I am for the time going with that until someone out there proves otherwise
|
|
|
|
|
Hi all.
I'm wondering if any of you would know of any articles and/or books regarding ways to keep track of who's been entering a particular record, modifying it, etc. I'm working on something right now that I would like to have something like it in place.
I can think of putting a couple of fields, last_modified_by and date_of_mod, into each table which see the need for tracking, but that seems clunky. It would work well enough for this project as only a few people will be using it and it's not very big but when I start getting into the bigger stuff, I'm sure that will break down.
So, if anybody knows of any good references, please, send it along.
Thanks,
Keith
|
|
|
|
|
Keith Andersch wrote: I can think of putting a couple of fields, last_modified_by and date_of_mod, into each table which see the need for tracking, but that seems clunky. It would work well enough for this project as only a few people will be using it and it's not very big but when I start getting into the bigger stuff, I'm sure that will break down
That is a start. I don't see why it would be an issue when you add more users to the system would be a problem, though.
You might want to have a separate table for keeping the audit trail rather than adding fields to the existing tables.
|
|
|
|
|
I have seen and used that strategy in many projects and it generally works well. On projects that require closer auditing, I use triggers to log changes to another database. That way, even admins changes through queries are logged. The data generated by this method is heavily taxing on database resources and may not scale well to very high transaction volumes (only load tests can show the truth).
Scott
|
|
|
|
|
Scott Serl wrote: On projects that require closer auditing, I use triggers to log changes to another database. That way, even admins changes through queries are logged.
Excellent point
|
|
|
|
|
How can I connect to Sql database without using SqlClient? Thanks.
Vasini
|
|
|
|
|
using
oledb client
Parwej Ahamad
http://parwej.spaces.live.com/
|
|
|
|
|
As far as I know, oled for Oracle database. But my question here is, how can I conncect to SQLServer database without using sqlclient.
Thanks.
Vasini
|
|
|
|
|
vasini wrote: As far as I know, oled for Oracle database. But my question here is, how can I conncect to SQLServer database without using sqlclient.
OleDb[^] allows connections to many different DB types including SQL Server.
Why don't you want to use the native Sql class?
|
|
|
|
|
oledb use to all data base like oracle, sql server,ms-Access etc.
Parwej Ahamad
http://parwej.spaces.live.com/
|
|
|
|
|
Why do you want to do this? This makes no sense
'A programmer is just a tool which converts caffeine into code'
|
|
|
|
|
I know how to read string values from Access db,
like:
CString strFields[5];
COleVariant varstring
for(field=0; field<5;field++)
{
recordset.GetFieldValue(field, varstring);
strFields[field]=V_BSTRT(&varstring);
}
then the string value from db. goes into strFields
But what if I know the strFields, and want write to update the db.
Does anyone know the adverse procedure?
|
|
|
|
|
Don't cross post and this subject is covered in several articles here on CodeProject. Do some work.
led mike
|
|
|
|
|
Dear friends,
Though i am using MS SQL server for a long time, but for my current project, the situation is somewhat different than before and as such need your advice.
The problem is that i am working on a database in which there will be huge amounts of inserts in a table (approximately 5000 records per day). Actually we are storing the record of 'Traveller Cheques' issued by a bank. The bank issues around 5000 traveller cheques per day and these cheques are sorted by serial number. As such the user does not enter the serial number of individual cheque and only enters the upper limit and lower limit of serial numbers. We want to enter the individual row in a table for each traveller cheque. So we are using a stored procedure which accepts the upper and lower limits of serial numbers. In this stored procedure, we take the lower limit and start a loop to insert individual record of Traveller Cheque in a table by incrementing the lower limit by one. This loop continues till we reach the upper limit. The stored procedurs take few noticable seconds to complete.
My questions are:
1) Is our approach correct ? If not, then what is the better approach ?
2) I am worried about the growth of table, worry is that with the passage of time the insert operation will become very slow. And i've never encountered this situation in the past. So, what is your suggestion ?
3) I am inserting indivdual record because we want to track individual Traveller cheque later when someone purchases it and want to keep record that who purchases which Traveller Cheque. As such there are also select and update operations involve in the table. And i am worried that these operation may take long time to complete because of the huge number of records entered from time to time.
4) The primary key of the table is integer. And this key is referred as a foreign key in other tables. I am worried that one day the maximum limit of integer will reach. So how will i tackle this situation ?
Imtiaz
|
|
|
|
|
Imtiaz Murtaza wrote: 4) The primary key of the table is integer. And this key is referred as a foreign key in other tables. I am worried that one day the maximum limit of integer will reach. So how will i tackle this situation ?
With 5000 cheques a day, it would take more than 1000 years for you to beat the integer limit. The other tables may grow at a higher rate but unless each primary record has more than 50 child records, you are be safe for the lifetime of the database (assuming a lifetime of 20 years - wow!)
With an appropriate set of indexes whose statistics are updated frequently and where fragmentation is managed when necessary, I don't see any problem with the INSERT/UPDATE operations. Make sure you write efficient SELECT queries to utilize the indexes.
I may also suggest that you implement some form of horizontal partitioning of your data to archive old data to reduce the active set of information that the query processor has to work with.
Finally, ensure that the hardware is up to the task. Watch your disk I/O, memory and CPU utilization and respond accordingly.
Nathan H. Omukwenyi
|
|
|
|
|
Im a bit new at stored procedures. How do i create a table (with a stored procedure) with the following
PageID - uniqueidentifier (not null)
pageTitle - text (not null)
DateCreated - DateTime (Null allowed)
count - integer (null allowed)
Thanks
|
|
|
|
|
Although it is not something I would recommnend, the stored procedure would look like this:
CREATE PROCEDURE CreateTable
AS
CREATE TABLE myTable
(
PageID uniqueidentifier NOT NULL,
pageTitle varchar(max) NOT NULL,
DateCreated dateTime NULL,
Count int NULL
)
GO
Of course, you can't call this procedure more than once unless you change the table to a temporary one (by using the # or ## prefixes on the table name depending on the scope) or by dropping the table first. Your application logic will determine what you actually need to do.
Nathan H. Omukwenyi
|
|
|
|
|
its simply you can use this ...
CREATE TABLE tbl_tableName
(
PageID uniqueidentifier NOT NULL,
pageTitle varchar(max) NOT NULL,
DateCreated dateTime NULL,
Count int NULL
)
Cheer
Pavan Pareta
|
|
|
|
|
is there a way to have a server automatically
send out an email on a certain date. For example, if it was someones birthday,
an email saying happy birthday would automatically be sent out.
Using : ASP.Net
Dileep.M
|
|
|
|
|
In order for this type of functionality, you will need a constant running program or at least one that executes automatically once a day. This can be done inside of SQL server using a SQL Job. This can also be implemented as a service on any system.
ASP.Net/IIS is not the technology I would use to implement this functionality. I am sure there is some way to get it done but, it would be on the bottom of my list of the tools to use.
|
|
|
|
|
I am a new learner to the Dao database operation through MFC access.For now I am trying to write a program, saving two values in two edit boxes to a column of MS Access 2000 table. There are not many samples available. Could any one write little sample codes or guide me to a tutorial. The msdn explanation seems a bit difficult and abstract for me.
|
|
|
|