|
There is nothing wrong with getting user input directly if you sanitise it (which you will still need to do with databinding) and use parameterised queries. See the article, it explains how to go from injecting values directly into a SQL Statement to using parameterised queries.
|
|
|
|
|
mfcuser wrote: I will start to use databinding rather than getting user input directly
It's not a matter of how you get the user input, but a matter of what the user inputs into the text box that is the security concern. Like Colin said in his post below, you still need to sanitize the input.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
|
|
|
|
|
Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
|
|
|
|
|
I still have a problem with sanitization. Assume that the user is going to insert or update a field from a table. The user types something on the textbox. The word or phrase the user types can be anything like "word, letter, number, especial charater or a mixture". There is no way I can determine that in advance. So how can I sanitize that?
|
|
|
|
|
Use parameterized queries as stated in Colin's article and you don't have to worry about doing it, the parameterized query will do this behind the scenes for you. It may be extra coding to do the parameterized queries but it is worth it from a security stand point.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
|
|
|
|
|
I was just thinking about that. This is what I will do before passing the data.
|
|
|
|
|
mfcuser wrote: Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
Yes, you will. How else is it going to get into the database? All the databinding and funky wizards that Visual Studio provides hide a lot of the actual functionality. You shuould take a look at the code the wizards produce. It isn't the nicest thing to read (generated code often isn't - neither is it to be considered a good way to code either) but it will teach you a fair bit about what is going on under the hood.
|
|
|
|
|
Colin Angus Mackay wrote: look at the code the wizards produce. It isn't the nicest thing to read
Yep, that sure is the truth
If you try to write that in English, I might be able to understand more than a fraction of it. - Guffa
|
|
|
|
|
What's the best way to convert an Object to byte array? For example I've a DataTable, I need to convert it to a Byte[]. I tried this..
<br />
dt = ds.Tables["Orders"];<br />
<br />
object obj = new object();<br />
obj = (object)dt;<br />
<br />
Byte[] byteTable = (Byte[])obj;
I dont get run-time error at line 4. Byte[] byteTable = (Byte[])obj; invalid Casting. Any help?
:Gong: 歡迎光臨 吐 西批 :Gong:
|
|
|
|
|
<br />
MemoryStream memStream1 = new MemoryStream();<br />
BinaryFormatter formatter = new BinaryFormatter();<br />
formatter.Serialize(memStream1, obj);<br />
byte [] bytes = memStream1.GetBuffer();<br />
memStream1.Close();<br />
<br />
MemoryStream memStream2 = new MemoryStream(bytes);<br />
object obj2 = (object)formatter.Deserialize(memStream2);<br />
DataTable dt2 = new DataTable("Table2");<br />
dt2= (DataTable)obj2;<br />
Console.WriteLine(dt2.Rows.Count);<br />
Console.ReadLine();<br />
:Gong: 歡迎光臨 吐 西批 :Gong:
|
|
|
|
|
You can use this.
dt = ds.Tables["Orders"];
MemoryStream ms = new MemoryStream();
BinaryFormatter formatter = new BinaryFormatter();
// To convert to byte array
formatter.Serialize(ms, dt);
byte[] arr = ms.ToArray();
// To reconvert to data table
if(ms.Read(arr, 0, arr.GetLength(0)) != -1)
dt = (DataTable)formatter.Deserialize(ms);
Hope this helps...
|
|
|
|
|
Hi,
is there any way to detect http errors (like 404) with .net2.0 WebBrowser object?
I have WebBrowser object in my form. It navigates some addresses periodically. These addresses sometimes returns an error, like http 404 or 500 or so on. I want to handle these errors in my form. But i could not find a way to do this.
Thanks
-- modified at 7:20 Wednesday 6th December, 2006
ozgur.nevres
|
|
|
|
|
|
This is not what i mean. Let me explain my problem:
I have WebBrowser object in my form. It navigates some addresses periodically. These addresses sometimes returns an error, like http 404 or 500 or so on. I want to handle these errors in my form. But i could not find a way to do this.
ozgur.nevres
|
|
|
|
|
Perhaps this[^] article will help? In particular, handle the NavigateError event.
/ravi
|
|
|
|
|
Hi every one
This is my problem..
private void btnColorFac_Click(object sender, EventArgs e)
{
int i = 1;
int j = 0;
string val;
val = dgMatrix.Rows[2].Cells[2].Value.ToString(); //This Part of code works Correctly No problem
if (val[0] == '2')
{
dgMatrix.Rows[2].Cells[2].Style.BackColor = Color.Tan;
}
while(j != Classes)
{
for (i = 0; i < Periods; i++)
{
-->val = dgMatrix.Rows[j].Cells[i].Value.ToString();// Here is the problem, it says That Value = NULL !!!!
if (val[0] == '1')
{
dgMatrix.Rows[j].Cells[i].Style.BackColor = Color.Tan;
}
}
j++;
}
}
I don't know what to do
any hint will be very appreciated
Thanks in advance.
|
|
|
|
|
Can you give us a non-code explanation of what you're trying to do? It will help us understand your goal and either help us find the problem with your code, or potentially allow us to give you another way to achieve what you want.
|
|
|
|
|
well..
I have a program that performs (or apply you may say) some algorithms on a matrix..this matrix contains the code of some faculties + subject code (numbers) for example faculty of computer science + Software engineering subject = 21034 and etc...
I represented the matrix on a data grid view called "dgmatrix" and I'm trying to color the faculties to distinguish them.. so I'm trying to get to every cell and check out the first number which represent the faculty and then color it by my color that I choose.. thats all. Hope you got the idea..
Waiting for your reply
Best regards
|
|
|
|
|
can any body give me the regular expresion validator of a date.
It should be in the following format, example: 31/11/2006 (dd/mm/yyyy)
I need it quickly
Thanks.
|
|
|
|
|
quiteSmart wrote: I need it quickly
Then go Here[^]. People answer questions on this board in their own time. If you need an answer urgently then STFW.
|
|
|
|
|
For the formats
dd/mm/yyyy
dd-mm-yyyy
dd.mm.yyyy
(0[1-9]|[12][0-9]|3[01])[- /.](0[1-9]|1[012])[- /.](19|20)\d\d
|
|
|
|
|
A regular expression can not validate that the input is a valid date, only that it looks like a date.
---
b { font-weight: normal; }
|
|
|
|
|
I love the people who say "I need it quickly" Does that equate to "Stop what you're doing, and answer my question!!!"?
How about changing the tone to "I'm in a bind, with the boss breathing down my back"
|
|
|
|
|
Perhaps you should reply to the original poster?
---
b { font-weight: normal; }
|
|
|
|
|
Dear Friends,
I want to make project planner. like Visio. Any idea can give me for that?. how can i design that control. please help me.
Haridas.R
harisofttech@gmail.com
harisofttech@hotmail.com (online)
harizeenet@yahoo.co.in(online)
"Achievement is not a destination, its a journey "
|
|
|
|