|
ok, my fault,
i can skip the filename and path in the create statement
i just have to figure out how to change the settings for the database, but that won't be a problem.
greetz
|
|
|
|
|
how do i clear this Error?
An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
i'm using sql2005...in online exam quiz..
plz help me..
|
|
|
|
|
What are the details of your connection string?
Paul Marfleet
"No, his mind is not for rent
To any God or government"
Tom Sawyer - Rush
|
|
|
|
|
mycon.ConnectionString = "Server=(local);DataBase=im;Integrated Security=True"
mycom = New SqlCommand("INSERT INTO quiz1(Result,Email) values('" + strResult + "','" + TextBox1.Text + "')", mycon)
mycon.Open()
mycom.ExecuteNonQuery()
mycon.Close()
i'm using Vb script and Asp.net... db is Sql 2005..
this program is running on localhost but didnt run external...
what can i do?
|
|
|
|
|
mananth wrote: mycon.ConnectionString = "Server=(local);DataBase=im;Integrated Security=True"
You are using Integrated Security to connect to SQL Server. Does the account that your ASP.NET web app is running under have the required permissions to access the SQL database?
Paul Marfleet
"No, his mind is not for rent
To any God or government"
Tom Sawyer - Rush
|
|
|
|
|
Hi,
Can any body help me in writing a query to retrieve the count of non null columns in a particular row.
For eg: I have 30 columns in a table and I enter values to only 5 columns.
when I run the query I should get the output as 5 columns have non null values. If it is not possible then is it possible to read values of different columns of a single row into a single variable.
Please help me out.
ABC
|
|
|
|
|
AFAIK, the only way of doing this would be to loop through the columns and count the number of fields with a NULL value.
You may want to consider whether your database design is optimal for the type of work you are doing.
Paul Marfleet
"No, his mind is not for rent
To any God or government"
Tom Sawyer - Rush
|
|
|
|
|
Its Not pretty but...
select case when cola is null then 1 else 0 end+<br />
case when colb is null then 1 else 0 end+<br />
...................<br />
from table
modified on Friday, January 11, 2008 3:53:29 AM
|
|
|
|
|
Is SQL Injection is possible even after replacing all single quote i.e ' from the user input with two single quote i.e '' ? .If so can you give me any example.
|
|
|
|
|
Using parameterized queries is better practice anyway.
|
|
|
|
|
there there is no way to inject after replacing ' with ''
|
|
|
|
|
What about injecting into values that don't need quotes around them?
|
|
|
|
|
|
thankx for link.I went through this but still could not got my answer.
Can u pls help me out to find in what way this query can venerable to SQL injection
strQuery = "select * from Table where Name ='" & strName.Replace("'","''") & "'"
|
|
|
|
|
Why are you looking to do this? It's much better to use parameters which take care of these things for you and are a much better way of preventing SQL Injection attacks. Please read this[^] article and do yourself a favour.
|
|
|
|
|
Ritesh1234 wrote: Can u pls help me out to find in what way this query can venerable to SQL injection
Yes, it's STILL an injection attack, and a rather successful one if the code that depends on this query doesn't expect to find 0 results comming back. The replacement of ' with '' is NOT a guarantee against injection attacks, and neither is using parameterized queries, though using parameters and the SqlParameter objects does look for other possible problems that you don't normally think of, such as DateTime representation in the SQL statement.
Simply put, there is no reason NOT to use parameterized queries and stored procedures. It makes you code much more robust, easier to debug, and easier to support when it breaks, not if. It's also no excuse for not thoroughly checking user input before you pass it to SQL, which is what you're code snippet is suggesting you're not doing. Consider ALL user input as evil. It MUST go through validation testing before you try to use it.
What if the user typed in 1000+ characters into that textbox?? What happens when you pass that to your SQL, which is only expecting, maybe, 14 characters??
What you have is a lazy way of attempting to secure your SQL code without understanding what an SQL Injection attack really is. Make no mistake, your "solution" is not secure, not in the least.
Read this[^] or Colin will make you read it.
|
|
|
|
|
thanks buddy for u r valuable input well first of all this is NOT my way coding and i raised this question just to find out any good EXAMPLE how attacker can take advantage of this poorly fabricated query.Though we all advocating parameterized queries and stored procedures including ME and even this query seems easily attackable but still could not figured out HOW neither got any single example from anyone
btw that was the first article which make me aware of the SQL injection long ago
|
|
|
|
|
"The Six Dumbest Ideas in Computer Security[^]" is one of the best essays I've seen on security. Make sure you pay attention to point #2.
How many different ways are there to hack a database?? There are dozens and dozens of them. Now add the poor security in your code and you've opened up dozens more. Are you going to address each one of these vulnerabilities on an individual basis, such as that one Replace statement?? How about the other 9,999 vulnerabilities?? Starting to see the point behind "Enumerating Badness"??
If you read the entire article, it explains perfectly why the mere existance of virus scanning software is a stupid idea. And it's one which I happen to subscribe to.
|
|
|
|
|
I am writing a class to talk to a database I've written, the database has a stored function which takes one parameter and returns a value, it works fine when I execute it just with MySql however when I use the class I have written I get no error but the value that is returned from "ExecuteScalar" is null. The executeNoReturn Works perfectly for a stored procedure that adds some data to the DB.
Any suggestions would be appreciated
public class Parameter
{
private string mName;
private object mValue;
public Parameter(string nameIn, object valueIn)
{
name = nameIn;
value = valueIn;
}
public string name
{
get
{
return mName;
}
set
{
mName = value;
}
}
public object value
{
get
{
return mValue;
}
set
{
mValue = value;
}
}
}
public class Db
{
MySqlConnection conn;
public Db()
{
conn = new MySqlConnection("Database=test;Data Source=localhost;User Id=root;Password=alexa");
conn.Open();
}
public object executeSingleReturn(string storedName, List<parameter> parameters)
{
object returnObject = new object();
MySqlCommand command = new MySqlCommand();
command.Connection = conn;
command.CommandType = System.Data.CommandType.StoredProcedure;
command.CommandText = storedName;
foreach (Parameter a in parameters)
{
command.Parameters.AddWithValue(a.name, a.value);
}
returnObject = command.ExecuteScalar();
return returnObject;
}
public void executeNoReturn(string storedName, List<parameter> parameters)
{
MySqlCommand command = new MySqlCommand();
MySqlTransaction trans;
trans = conn.BeginTransaction();
command.Connection = conn;
command.Transaction = trans;
command.CommandType = System.Data.CommandType.StoredProcedure;
command.CommandText = storedName;
foreach (Parametera in parameters)
{
command.Parameters.AddWithValue(a.name, a.value);
}
command.UpdatedRowSource = System.Data.UpdateRowSource.None;
command.ExecuteNonQuery();
trans.Commit();
}
~Db()
{
conn.Close();
}
}
|
|
|
|
|
Hi all,
I need some help in query design...Following is the scenerio
table1
|length|breadth|height|dimen|
|20|20|20|20x20x20|
|40|20|20|40x20x20|
|50|50|20|50x50x20|
|20|20|70|20x20x70|
the user in stage 1 of the app inserts only the len,bre,height... in cycle 2 i have to calculate the dimen(lenxbredxheight).How can i do it using a single query..Do i need to use cursors ..If yes then how????
Thanks in adv...
When you fail to plan, you are planning to fail.
|
|
|
|
|
Would this not be enough? Why do you think you need to use Cursors?
update table1
set dimen = length*breadth*height
------------------------------------------------------------
"The only true wisdom is in knowing you know nothing." --Socrates
|
|
|
|
|
Try this in stage 2:
<br />
update table1<br />
set dimen = cast(length as varchar(2)) + 'x' + cast(breadth as varchar(2)) + 'x' + cast(height as varchar(2))<br />
from table1
Regards
Guy
You always pass failure on the way to success.
|
|
|
|
|
Hi,
While you inserting the first three data i.e length,breadth,height do like
this
insert into table1(length,breadth,height,dimen)values
(length,breadth,height,length*breadth*height)
Or
First insert
insert into table1(length,breadth,heightvalues
(length,breadth,height)
in the second cycle just update the table.
Regard's
Veeresh
i want to join this group
|
|
|
|
|
Hello everybody
I finally have a bit of time to look into a problem which has been annoying me for some months, without a solution so far. I'm hoping some clever guru will take pity on me and help resolve it.
The situation:
I have created a custom control that uses a data source to display dates on a web site, and allow the user to select a range of dates.
However, I have different problems depending on the data source I use.
- Access database using a dataset generated in VS 2005: selecting a range works beautifully
However, I then can't overwrite the Access file on my ISP's web server, and besides, it's overkill for a handful of records, so I tried solution number 2:
- XML file loaded into a dataset created in my code: the control "forgets" the data source when the user selects a range.
The control in its buggy XML incarnation is visible here: http://www.eburrows.co.uk/apt111/availabilitybug.aspx.
While its working Access dataset-based version is here:
http://www.eburrows.co.uk/apt111/availability.aspx
Of course, full source code will be provided to anyone kind enough to volunteer their expertise!
Thanks!
|
|
|
|
|
Hi! Just a basic question but I don't know the answer =)
Please help
So I have a stored procedure with 2 select query
SELECT A,B FROM table1
SEleCT C,D FROM table2
In my typed dataset, how do I retrieve values in table2 using da.Fill() or should I be using another code for this?
da.Fill(dt);
when I can't use somethign like da.Fill(dt2);
Thank you very much.
Gerri
|
|
|
|