|
Thank you, I may have missed that
|
|
|
|
|
In terms of SQL code generation, check out proper databinding and the dataAdapter class. This allows you to set up a query through an adapter, and then bind a textbox to a column(and specific row if necessary) of the result. The dataAdapter will automatically do the SQL generation for loading from / saving back to the db for you. Its good stuff.
Check out here[^] for Databinding basics (its in VB, but the concepts are the same), and here[^] for a more advanced view at things (the book is great, I use it all the time as a reference).
|
|
|
|
|
That is good, I will look at that. I have just print out the article. Since I am new to database, I have asked this question before, but nobody answered me.
here is it and it is from this link
http://www.codeproject.com/script/comments/forums.asp?msg=1785663&forumid=1649&mode=all&userid=191012#xx1785663xx[^]
============================================
I want to know which one is better. I see a better benefit on scripting, since any change on the database will enable you to change some code. Here is what I am talking about
Assume that I arleady know the database. For instance, I want to connect to an company database to read some information about employee names. Now, I can have a sample of that database and use a wizad to do that. Or I can use the oldbconnection and use sql command to do that. What I like with the wizard, is the fact that every field from the database can be pulled up with intellisense. And very easy to connect those field or the database to windows form component.
The problem I see in the wizard, if you don't know much about that dabase in advance and whant to read some field on it. I also see more people or book use the scripting than the wizard.
Anyway, all what I want to know which one is better to use; the database wizard or the sql command string which is related to ado.
|
|
|
|
|
You should never use textbox text directly inside your Sql query. See Colin's article on it
http://www.codeproject.com/cs/database/SqlInjectionAttacks.asp[^]
Arthur Dent - "That would explain it. All my life I've had this strange feeling that there's something big and sinister going on in the world."
Slartibartfast - "No. That's perfectly normal paranoia. Everybody in the universe gets that."
Deja View - the feeling that you've seen this post before.
|
|
|
|
|
I haven't read the article, but what I did, I passed it to another string. For example,
stringName = textBox.Txt; I don't see the difference
|
|
|
|
|
Yeah... that does nothing. You need to sanitize user input and that article will explain how.
The problem is if something like this happens...
The user enters "'); DELETE FROM TableName WHERE 0 = 0;" into your text box then the sql statement becomes:
INSERT INTO TableName(FieldName) VALUES(''); DELETE FROM TableName WHERE 0 = 0;');
That means it inserts an empty string into the column and then deletes all rows from the table.
|
|
|
|
|
mfcuser wrote: stringName = textBox.Txt; I don't see the difference
That is still dangerous. Read Colin's article that Pete referred to
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
|
|
|
|
|
Now, I will start to use databinding rather than getting user input directly
|
|
|
|
|
There is nothing wrong with getting user input directly if you sanitise it (which you will still need to do with databinding) and use parameterised queries. See the article, it explains how to go from injecting values directly into a SQL Statement to using parameterised queries.
|
|
|
|
|
mfcuser wrote: I will start to use databinding rather than getting user input directly
It's not a matter of how you get the user input, but a matter of what the user inputs into the text box that is the security concern. Like Colin said in his post below, you still need to sanitize the input.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
|
|
|
|
|
Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
|
|
|
|
|
I still have a problem with sanitization. Assume that the user is going to insert or update a field from a table. The user types something on the textbox. The word or phrase the user types can be anything like "word, letter, number, especial charater or a mixture". There is no way I can determine that in advance. So how can I sanitize that?
|
|
|
|
|
Use parameterized queries as stated in Colin's article and you don't have to worry about doing it, the parameterized query will do this behind the scenes for you. It may be extra coding to do the parameterized queries but it is worth it from a security stand point.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
|
|
|
|
|
I was just thinking about that. This is what I will do before passing the data.
|
|
|
|
|
mfcuser wrote: Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
Yes, you will. How else is it going to get into the database? All the databinding and funky wizards that Visual Studio provides hide a lot of the actual functionality. You shuould take a look at the code the wizards produce. It isn't the nicest thing to read (generated code often isn't - neither is it to be considered a good way to code either) but it will teach you a fair bit about what is going on under the hood.
|
|
|
|
|
Colin Angus Mackay wrote: look at the code the wizards produce. It isn't the nicest thing to read
Yep, that sure is the truth
If you try to write that in English, I might be able to understand more than a fraction of it. - Guffa
|
|
|
|
|
What's the best way to convert an Object to byte array? For example I've a DataTable, I need to convert it to a Byte[]. I tried this..
<br />
dt = ds.Tables["Orders"];<br />
<br />
object obj = new object();<br />
obj = (object)dt;<br />
<br />
Byte[] byteTable = (Byte[])obj;
I dont get run-time error at line 4. Byte[] byteTable = (Byte[])obj; invalid Casting. Any help?
:Gong: 歡迎光臨 吐 西批 :Gong:
|
|
|
|
|
<br />
MemoryStream memStream1 = new MemoryStream();<br />
BinaryFormatter formatter = new BinaryFormatter();<br />
formatter.Serialize(memStream1, obj);<br />
byte [] bytes = memStream1.GetBuffer();<br />
memStream1.Close();<br />
<br />
MemoryStream memStream2 = new MemoryStream(bytes);<br />
object obj2 = (object)formatter.Deserialize(memStream2);<br />
DataTable dt2 = new DataTable("Table2");<br />
dt2= (DataTable)obj2;<br />
Console.WriteLine(dt2.Rows.Count);<br />
Console.ReadLine();<br />
:Gong: 歡迎光臨 吐 西批 :Gong:
|
|
|
|
|
You can use this.
dt = ds.Tables["Orders"];
MemoryStream ms = new MemoryStream();
BinaryFormatter formatter = new BinaryFormatter();
// To convert to byte array
formatter.Serialize(ms, dt);
byte[] arr = ms.ToArray();
// To reconvert to data table
if(ms.Read(arr, 0, arr.GetLength(0)) != -1)
dt = (DataTable)formatter.Deserialize(ms);
Hope this helps...
|
|
|
|
|
Hi,
is there any way to detect http errors (like 404) with .net2.0 WebBrowser object?
I have WebBrowser object in my form. It navigates some addresses periodically. These addresses sometimes returns an error, like http 404 or 500 or so on. I want to handle these errors in my form. But i could not find a way to do this.
Thanks
-- modified at 7:20 Wednesday 6th December, 2006
ozgur.nevres
|
|
|
|
|
|
This is not what i mean. Let me explain my problem:
I have WebBrowser object in my form. It navigates some addresses periodically. These addresses sometimes returns an error, like http 404 or 500 or so on. I want to handle these errors in my form. But i could not find a way to do this.
ozgur.nevres
|
|
|
|
|
Perhaps this[^] article will help? In particular, handle the NavigateError event.
/ravi
|
|
|
|
|
Hi every one
This is my problem..
private void btnColorFac_Click(object sender, EventArgs e)
{
int i = 1;
int j = 0;
string val;
val = dgMatrix.Rows[2].Cells[2].Value.ToString(); //This Part of code works Correctly No problem
if (val[0] == '2')
{
dgMatrix.Rows[2].Cells[2].Style.BackColor = Color.Tan;
}
while(j != Classes)
{
for (i = 0; i < Periods; i++)
{
-->val = dgMatrix.Rows[j].Cells[i].Value.ToString();// Here is the problem, it says That Value = NULL !!!!
if (val[0] == '1')
{
dgMatrix.Rows[j].Cells[i].Style.BackColor = Color.Tan;
}
}
j++;
}
}
I don't know what to do
any hint will be very appreciated
Thanks in advance.
|
|
|
|
|
Can you give us a non-code explanation of what you're trying to do? It will help us understand your goal and either help us find the problem with your code, or potentially allow us to give you another way to achieve what you want.
|
|
|
|