|
coolestCoder wrote: This is a simple solution but creating dynamic queries are prone to SQL Injection attacks. Use Stored procedures instead or use parameterized command object.
I'm curious why you didn't just do that in your example. It seems to me to be some what disingenuous to offer a solution with known security problems then point out the problems when it would have been just as quick to write a version without those problems.
|
|
|
|
|
Nekshan wrote: but it gives dashboardid of only loginname=hina.
Duh....
Nekshan wrote: what must i do to change my query for such result?
First, don't delete your questions after they are answered.
Second, I would reiterate that the questions that you're asking, show that you need to learn some basics before tackling this project. I can see you've found that if you keep asking here, we wil write it all for you, but you will pay later for never learning a solid foundation to build on.
The obvious answer is to build a string that includes the login name and password, from the controls which were used to enter them. However, you'd do better to write a stored procedure , because this will help protect you from SQL injection attacks. A paramaterised query would be an easier way to try to protect yourself in this regard.
The highlighted words are for your help figuring out how to use google to find out more info.
Christian Graus - Microsoft MVP - C++
Metal Musings - Rex and my new metal blog
|
|
|
|
|
Read the section "Parameterized Queries" of the following CP article: SQL Injection Attacks and Some Tips on How to Prevent Them[^]. The other sections of the article are also worth reading them.
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." - Rick Cook www.troschuetz.de
|
|
|
|
|
Since you seem to have a history of deleting your original question, I've repoduced it here in full so that anyone else with a similar problem can see exactly what is going on.
Nekshan wrote: SqlCommand cm = new SqlCommand("select dashboardid from dashboardlogin where (loginname = 'hina') AND (loginpswd = 'shaikh')", conn);
int i = Convert.ToInt32(cm.ExecuteScalar());
i have this query working properly,but it gives dashboardid of only loginname=hina.
but i want dashboardid of that person who logs in the system(this code is on login form),whoever logs in the system,his dashboardid must be got in variable 'i'.
what must i do to change my query for such result?
thank you.
nekshan.
SqlCommand cm = new SqlCommand("SELECT dashboardid FROM dashboardlogin "+
"WHERE loginname = @loginname AND loginpwd = @password", conn);
cm.Parameters.Add("@loginname", theLoginName);
cm.Parameters.Add("@password", thePassword");
object rawId = cm.ExecuteScalar();
if (rawId == DBNull.Value)
{
// The login wasn't found - handle this
}
else
{
int id = (int)rawId;
// Do stuff with the id
}
|
|
|
|
|
|
Nekshan wrote: int s = Convert.ToString(cm.ExecuteScalar());
In C# you cannot assign a string to int. Try-
int s=Int32.Parse(cm.ExecuteScalar());
CAUTION : What if your database has a null value or some string value in the field being retrieved ? This would raise an exception in the Parse method. The best practice is to use exception handling and checking whether the returned values are not null. Also apply proper constraints on the database to avoid these kind of errors.
"A good programmer is someone who looks both ways before crossing a one-way street." -- Doug Linder
coolestCoder
|
|
|
|
|
Nekshan wrote: int s = Convert.ToString(cm.ExecuteScalar());
it gives error : Cannot implicitly convert type 'string' to 'int'.
If you want to put the return value into a integer variable, why do you convert it to a string.? Cast the return value of ExecuteScalar to int directly.
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." - Rick Cook www.troschuetz.de
|
|
|
|
|
Hi
Try this:
<br />
SqlCommand cmd=new SqlCommand("select employeeid from employees where employeeid=1",conn);<br />
int s = Convert.ToInt32(cmd.ExecuteScalar());<br />
funEntrylogin(s, tb_id.Text, tb_pswd.Text, DateTime.Now, DateTime.Now);<br />
hope this helps
greets
m@u
|
|
|
|
|
Nekshan wrote: int s = Convert.ToString(cm.ExecuteScalar());
In C# you cannot assign a string to int. Try-
int s=Int32.Parse(cm.ExecuteScalar());
CAUTION : What if your database has a null value or some string value in the field being retrieved ? This would raise an exception in the Parse method. The best practice is to use exception handling and checking whether the returned values are not null. Also apply proper constraints on the database to avoid these kind of errors.
funEntrylogin(s, tb_id.Text, tb_pswd.Text, DateTime.Now, DateTime.Now);
This is because you had error on the initialization of that int. correct it and this error will be gone.
"A good programmer is someone who looks both ways before crossing a one-way street." -- Doug Linder
coolestCoder
|
|
|
|
|
You've done it again you inconsiderate person!
DO NOT DELETE YOUR MESSAGES!!!
|
|
|
|
|
how can i open(visualize) a System.Windows.Forms.MenuItem of System.Windows.Forms.MainMenu by code?
Maybe one could disassemble the ToolStripMenuItem and see what they are doing inside the ShowDropDown method. Or use Windows API to really simulate a mouse click on the menu item.
how can i do this?
jaye
|
|
|
|
|
jaimeaye wrote: Maybe one could disassemble the ToolStripMenuItem and see what they are doing inside the ShowDropDown method.
You could do it yourself. The MSIL Disassembler-Tool (Ildasm.exe) is part of the Framework SDK. Information on its usage can be found on MSDN.
"Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning." - Rick Cook www.troschuetz.de
|
|
|
|
|
Hello,
how can I access the programpath from a setupproject after or during installation?
Greetings from germany
Jerry
|
|
|
|
|
Confused with question
<l>Thanks and Regards
Sandeep
|
|
|
|
|
You mean while installing the application? Haven't the user informed the path he wanted to install the application to?
Otherwise the program itself knows its path by using this variable:
Application.StartupPath
|
|
|
|
|
Hello,
no, I must fin a third parity program installation path an wanna install there my programm, cause it needs files from this location.. how can i solve this?
greetings
|
|
|
|
|
Maybe you should take a look at WMI and what it can offer in terms of retrieving the installation path of a software installed on a machine.
|
|
|
|
|
My application is in C# and it runs on a mobile device(its a Symbol device). I want to start an exe in the '\Program Files' folder from my application. Can anyone tell me what command (line of code) to use..
I see that for playing .wav files there is 'Symbol.Audio.Controller' , is there any such thing for exe files.
|
|
|
|
|
Hello,
in the namespace "System.Diagnostics" you will find "Process" and "ProcessStartInfo" class.
Like:
using System.Diagnostics;
ProcessStartInfo PSIYourProc = new ProcessStartInfo();
StartLoader.UseShellExecute = false;
StartLoader.WorkingDirectory = @"C:\...";
StartLoader.FileName = @"C:\...\xxx.exe";
Process PYourProc = Process.Start(PSIYourProc);
//Don't forget to dispose the Process if you don't need it anymore!
All the best
Martin
|
|
|
|
|
I included 'using System.Diagnostics;' in my headers. But I see that "Process" and "ProcessStartInfo" classes are not available for me in "System.Diagnostics".
Is there something else required ?
The classes I am seeing in "System.Diagnostics" are
- ConditionalAttribute;
- Debug;
- DebuggableAttribute;
- Debugger;
- DebuggerStepThroughAttribute;
- DefaultTraceListener;
- Trace;
- TraceListener;
- TraceListenerCollection;
|
|
|
|
|
Which version of the framework and OS are you using?
|
|
|
|
|
I am using
Microsoft .NET framework 1.1 (Version 1.1.4322 SP1) on a Windows XP system
OS Version on Mobile device is 05.01.0070
|
|
|
|
|
Try to find System.Diagnostics.dll in the .Net references for the project and give a reference to the same. I think that must be your problem.
"A good programmer is someone who looks both ways before crossing a one-way street." -- Doug Linder
coolestCoder
|
|
|
|
|
I'm trying to have two related tables appear in one datagridview with the ability to update/insert/delete. Here is a simplified version of what the table structure looks like:
Table1: Table1_ID, Order_No
Table2: Table2_ID, Part_No, Table1_ID
I have shown in datagridview: Order_No, and Part_No
But i m unable to update/insert.
Any body have idea how update/insert operation works when data is coming from two tables.
I am using visual studio 2005 / C#
|
|
|
|
|
Hi all,
I'm stuck. Please help me.
I'm would like to be able to change the Internet Explorer Security settings/options from my own C# application. Because my browser object seems to use the settings from Internet Explorer. Not sure if they can be separate or not (meaning for the browser object in my own application to have it's own setting)? Is doable? I've heard you do it through the registry, but all the info out there is very limited and I'm new to this.
Please if you can give me a sample code at least to point me in the right direction.
I would like to be able to specifically change the ActiveX setting Enable/Disable, and the JavaScript one.
Thanks SO MUCH!
|
|
|
|