|
This is the problem with using string concantenation to build SQL queries. You open yourself up to SQL Injection attacks and you have to write a bunch of extra code to handle all the things a user can do to screw up your query.
Read this article[^] by Colin Angus Mackey and you'll understand why what you're doing is a bad idea.
Convert this to a parameterized query and you'll solve your immediate problem, without writing a ton of code to handle character escapes.
|
|
|
|
|
thank you, i will read through that article 
i am not using this anywhere that it would be vulnerable to such an attack though as im only creating this program as a hobby, my main job is networking.
but thank you.
P.S if it is not being used for a business do u think there would be much point in me going to the trouble of securing it again injection attacks?
|
|
|
|
|
There's nothing like learning the correct way to do something, even if you don't think you'll need it.
|
|
|
|
|
eyeball_2003 wrote: f it is not being used for a business do u think there would be much point in me going to the trouble of securing it again injection attacks?
Yes.
1. The problem that you have is so closely linked to sql injections that it's hard to solve it without learning anything about sql injections.
2. Bad code has a tendency to spread. Even if it's not used in a business system now, some part of it might be in the future. "Hmm... Didn't I write some code for that before, that I can just copy and paste into this new system...?"
---
single minded; short sighted; long gone;
|
|
|
|
|
number 2 is a valid point, thank you.
and its always in my best interest to learn the correct way
thanks guys
|
|
|
|
|
To use parmaters in your insert statement use the following approach:
Public Sub SqlCommandPrepare()
Dim id As Integer = 20
Dim desc As String = "myFirstRegion"
Dim rConn As SqlConnection = New SqlConnection("Persist Security Info=False;" & _
"Integrated Security=SSPI;database=northwind;server=mySQLServer")
rConn.Open()
Dim command As SqlCommand = New SqlCommand("", rConn)
' Create and prepare an SQL statement.
command.CommandText = "insert into Region (RegionID, RegionDescription) values (@id, @desc)"
command.Parameters.Add("@id", id)
command.Parameters.Add("@desc", desc)
command.Prepare() ' Calling Prepare after having set the Commandtext and parameters.
command.ExecuteNonQuery()
' Change parameter values and call ExecuteNonQuery.
command.Parameters(0).Value = 21
command.Parameters(1).Value = "mySecondRegion"
command.ExecuteNonQuery()
End Sub
This example was copied from the MSDN website at
http://msdn2.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.prepare(VS.71).aspx
Matt Melick
|
|
|
|
|
greeting again friends,
i again need your help... as always it's badly needed...
my problem is, when i change the column type into a comboboxcolumn i can only change it from design time..
1.) how to change the columns using datagridview into a
comboboxcolumn at runtime?
2.) how to populate the comboboxcolumn at runtime? from codes...
links/ site/codes are highly appreciated... thank you..
start a new beginning in every ending; thats what life for......
|
|
|
|
|
moomoooomoo wrote: 1.) how to change the columns using datagridview into a
comboboxcolumn at runtime?
Create your own columns instead of relying on the designer to do it for you. You can't "modify" an exsting column. It has to be removed and replaced by one your code creates.
moomoooomoo wrote: 2.) how to populate the comboboxcolumn at runtime? from codes...
That depends on where the data is comming from that your trying to populate it with. Is it from a table in the database?? From a file?? Some data you have hard-coded??
Without further information, this[^] is about the best anyone can tell you.
|
|
|
|
|
the data should come from sql database...
start a new beginning in every ending; thats what life for......
|
|
|
|
|
Create a second DataTable object with the ID's and Data of the items that are going to appear in the ComboBoxColumn. Then create a new DataGridViewComboBoxColumn and bind it to this table.
' Retrieve the data for the combobox
Dim DataForCombo As DataTable = SQLStuff.GetDate()
' Create a new ComboBox column
Dim col As New DataGridViewComboBoxColumn
With col
.HeaderText = "Column Header in DGV"
.DataPropertyName = "ID column name in the table the DGV is showing"
.DataSource = DataForCombo
.ValueMember = "ID column name in DataForCombo table"
.DisplayMember = "Column name for the data shown to the user in the ComboBox"
End With
DataGridView1.Columns.Add(col)
|
|
|
|
|
Hi there, is there any way to find out what language is the user using for his/her input keyboard language?
|
|
|
|
|
Hi,
I have created a small application (which you can download from the link below), which tells you about the system information.
http://www.speedyshare.com/692267716.html[^]
Please do let me know if that was helpful...;)
Gary Bigman.
Software Engineer
ComponentOne LLC
www.componentone.com
|
|
|
|
|
Is there a way to send a message from one dll to other dlls which is NOT compiled in the same exe file?
Background:
We develop add on functionality to a third party business system. When the business system fires up it embraces our dlls specified in an xml file. We don't know exactly how this is done and the people we talk to at the third party company can't explain how it works/can't come up with a solution...
OK, now the tricky part: our dlls have the same method base. For example a startup function, error handling and a session log off, clean up routine. The thing is I just want to fire the clean up function once, not in each dll!
IF I knew a way for the first dll to say to the other ones "hey, I've already done that" I would be home drinking coffe in my sofa. We can't build/compile the dlls into one dll, because they need to be "stand alone"/plug and play - we use different dll combinations at different customers.
Any suggestion how the third party system "loads" the dll's?
Am I able to "connect" to its namespace/work processes to see which dll's it runs?
Can I use the references in the XML file to get hold of loaded dlls?
I'd rather not have a "poor coders" solution with temp files or status flags in the registry. I would like to see some kind of dll message switch - is there any?
|
|
|
|
|
Jens Johanneson wrote: Is there a way to send a message from one dll to other dlls which is NOT compiled in the same exe file?
DLL's do not run independantly of the host application, so in the strictest sense of your question, no, there isn't.
Code loaded from a DLL becomes part of the .EXE's code, just like the DLL was compiled into the .EXE.
Since you're trying to talk to another plugin, you actually trying to talk to another part of the code in the app. The problem is that the plugin system has to expose functionality that allows communication and data passing between plugins. Unless the host app facilitates this, you can't talk to another plugin at all.
The only other way to do this would be to write a plugin that inmplements this functionality, and then your plugin would have to host the same plugin environment that loads the app's plugs. Kind of like a shim that sits between the host app's plugin environment and the plugins themselves.
But, since they can't tell you anything about their plug-in environment, you're out of luck this way too.
Without any information comming from the company that wrote the app, there's nothing you can do to implement this.
Jens Johanneson wrote: Any suggestion how the third party system "loads" the dll's?
There's no standard "plugin interface" to use. The implementation is entirely up to the people who wrote it.
Jens Johanneson wrote: Am I able to "connect" to its namespace/work processes to see which dll's it runs?
Not unless that plugin manager exposes this information to you, no.
Jens Johanneson wrote: Can I use the references in the XML file to get hold of loaded dlls?
This won't give you anything on getting the running instance of the other .DLL's, no.
Jens Johanneson wrote: I'd rather not have a "poor coders" solution with temp files or status flags in the registry. I would like to see some kind of dll message switch - is there any?
Again, ONLY if the plugin manager in the app exposes this to you. Somehow, I doubt they did.
|
|
|
|
|
"...The only other way to do this would be to write a plug in that implements this functionality..." - is it possible to write an "umbrella plug in" which only purpose is to send messages between our dlls? As I mentioned, we are able to find out filenames and paths to all "plug in dlls" used by the customers business system.
If so,
* where or for what should I start looking for to gain some skills in such coding techniques? Is there a convept name? Does anyone know of some examples?
Dave, I much appreciated your first answer which was clear and educational.
|
|
|
|
|
Jens Johanneson wrote: "...The only other way to do this would be to write a plug in that implements this functionality..." - is it possible to write an "umbrella plug in" which only purpose is to send messages between our dlls?
That's what I was talking about. The only problem is that your plugin has to be both a plugin to the application AND a plugin manager to all of the plugins you want to pass messages between.
Jens Johanneson wrote: where or for what should I start looking for to gain some skills in such coding techniques? Is there a convept name?
Google for "vb.net plugin how to".
|
|
|
|
|
Hi my application forms don't fit the screen correctly on various resolutions. is it possible to set the form so that it diplays correctly on the various resolutions.I'm using vb.net for a windows application
Mr Oizo
|
|
|
|
|
Use the Dock and Anchor properties to configure your controls to resize when the form resizes.
Christian Graus - Microsoft MVP - C++
"I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
|
|
|
|
|
Hi I click the dock property which only gives 5 locations to dock the controls. the anchor property also has limited options. I want my controls to stay in there exact positions but resize according to resolution or maximized property
Mr Oizo
|
|
|
|
|
Those five optons should be all you need, I've only had one app ever where I did some repositioning myself in the size changed event.
Christian Graus - Microsoft MVP - C++
"I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
|
|
|
|
|
Ok Thanks I'll play around with it.
Mr Oizo
|
|
|
|
|
second badly needed....
how to clear an array?
thank you
start a new beginning in every ending; thats what life for......
|
|
|
|
|
Array.Clear()
Luc Pattyn [Forum Guidelines] [My Articles]
this weeks tips:
- make Visual display line numbers: Tools/Options/TextEditor/...
- show exceptions with ToString() to see all information
- before you ask a question here, search CodeProject, then Google
|
|
|
|
|
Hi,
In your message you have not specified the language you are using in your application but assuming that you are using VB 6.0, here is the code to erase the content of an array -
--------------------------Code Start--------------------------
Erase ArrayName
--------------------------Code End--------------------------
Please do let me know if I can be of any other help.
Gary Bigman.
Software Engineer
ComponentOne LLC
www.componentone.com
|
|
|
|
|
greetings to all,
guyz i need again your help,
how to return a value of true if the function will
find in a string at least one "0"?
example : "110" the function should return "True"
i used the inStr() function it seems working but
when i would like to test another string inStr() function does not work.. or i used it incorrectly?...
pls help, i need it very badly and your help is very highly appreciated.... thank you...
start a new beginning in every ending; thats what life for......
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
