|
MartyK2007 wrote: how??
what would you need to enter into the textbox field given
there is an insert command "hardcoded" with variables??
I don't understand what you mean
|
|
|
|
|
sorry Roath
wasnt talking to you
I am was interested in the SQL injection claim and how the DB could be deleted when you have hardcoded an insert command.
ta
Martin
life is a bowl of cherries
go on take a byte
|
|
|
|
|
Ohh... I'm sorry martin. Sorry that I'm disturb you
|
|
|
|
|
no problem
life is a bowl of cherries
go on take a byte
|
|
|
|
|
Christian Graus wrote: 1 - I can delete your entire database any time I like. Read up on SQL injection, to stop this
I don't understand what you mean.
Christian Graus wrote: 2 - your SQL looks fine. What error is being thrown ?
The system state that there is an error in INSERT INTO statement. I think that this error because I didn't give the value to the field OrgNo. The reason that I didn't give the value to this field because this field has autonumber format. So I do not know how to add the number into this field. Please help me.
|
|
|
|
|
Does it give any other information ? Have you tried adding the number field as well, just to see if this is the problem ?
Like I said, search the site, or the web, for SQL injection. Short version: you do something like this:
statement = "select * from tblData where SomeCol = '" + txtColData.Text + "'"
What if I enter this:
f' GO DELETE from tblData GO
Then your sql looks like this:
select * from tblData where SomeCol = 'f' GO
DELETE from tblData GO
'
The last line is not valid SQL, but the first two will do a select, and delete all records from tblData. It's possible to write SQL that just deletes everything, without even knowing the table names.
Christian Graus - Microsoft MVP - C++
"I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
|
|
|
|
|
Roath Kanel wrote: Christian Graus wrote:
1 - I can delete your entire database any time I like. Read up on SQL injection, to stop this
I don't understand what you mean.
with this is meant that you'r user could for instance enter "delete *" in a textbox and this would result in the fact that you'r db is deleted or something else. SQL injection occurs when a user is able to input sql strings to the db
to prevent this use sqlparameters
Roath Kanel wrote: The reason that I didn't give the value to this field because this field has autonumber format. So I do not know how to add the number into this field
if the field is autonumber you normally don't have to include it in you're sql insert statement so that isn't the cause of you're error
|
|
|
|
|
TDDragon wrote: if the field is autonumber you normally don't have to include it in you're sql insert statement so that isn't the cause of you're error
I already do that in my SQL statement. An error still occure, could you please let me know how to solve the problem?
|
|
|
|
|
Again, did you bother to test and see if this is the problem, maybe the column is not autonumbering. Is there a ' in any of the strings you're passing in ? This will break the SQL. Surely there's more information to be found in the exception being thrown ?
Christian Graus - Microsoft MVP - C++
"I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
|
|
|
|
|
The below is the exception, please help:
System.Data.OleDb.OleDbException was unhandled
ErrorCode=-2147217900
Message="Syntax error in INSERT INTO statement."
Source="Microsoft JET Database Engine"
StackTrace:
at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommandText(Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteCommand(CommandBehavior behavior, Object& executeResult)
at System.Data.OleDb.OleDbCommand.ExecuteReaderInternal(CommandBehavior behavior, String method)
at System.Data.OleDb.OleDbCommand.ExecuteNonQuery()
at DIC_Donor_Database.frmOrgProf.btnAdd_Click(Object sender, EventArgs e) in C:\Documents and Settings\roathkanel\My Documents\Visual Studio 2005\Projects\DIC Donor Database\DIC Donor Database\frmOrgProf.vb:line 90
at System.Windows.Forms.Control.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnClick(EventArgs e)
at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
at System.Windows.Forms.Control.WndProc(Message& m)
at System.Windows.Forms.ButtonBase.WndProc(Message& m)
at System.Windows.Forms.Button.WndProc(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
at System.Windows.Forms.NativeWindow.DebuggableCallback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)
at System.Windows.Forms.UnsafeNativeMethods.DispatchMessageW(MSG& msg)
at System.Windows.Forms.Application.ComponentManager.System.Windows.Forms.UnsafeNativeMethods.IMsoComponentManager.FPushMessageLoop(Int32 dwComponentID, Int32 reason, Int32 pvLoopData)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoopInner(Int32 reason, ApplicationContext context)
at System.Windows.Forms.Application.ThreadContext.RunMessageLoop(Int32 reason, ApplicationContext context)
at System.Windows.Forms.Application.Run(ApplicationContext context)
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.OnRun()
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.DoApplicationModel()
at Microsoft.VisualBasic.ApplicationServices.WindowsFormsApplicationBase.Run(String[] commandLine)
at DIC_Donor_Database.My.MyApplication.Main(String[] Args) in 17d14f5c-a337-4978-8281-53493378c1071.vb:line 81
at System.AppDomain.nExecuteAssembly(Assembly assembly, String[] args)
at System.AppDomain.ExecuteAssembly(String assemblyFile, Evidence assemblySecurity, String[] args)
at Microsoft.VisualStudio.HostingProcess.HostProc.RunUsersAssembly()
at System.Threading.ThreadHelper.ThreadStart_Context(Object state)
at System.Threading.ExecutionContext.Run(ExecutionContext executionContext, ContextCallback callback, Object state)
at System.Threading.ThreadHelper.ThreadStart()
|
|
|
|
|
OK - first do what I've suggested three times ( add code to set that other column and see if it works ). Then use the debugger to find out exactly what the insert string looks like. Finally, see if you can enter that string into Access somewhere and have it run it, it may give you a more meaningful error.
Christian Graus - Microsoft MVP - C++
"I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
|
|
|
|
|
Ok, I will try and let you know the result. But what I suspect that the problem because I didn't give any value to set in the autonumber column. Thank for your help
|
|
|
|
|
like stated before:
the problem cannot be because you don't give a value to the autonumber colomn (if it is a autonumber colomn) because this column does not accept any input just try and give in a value straight into access it will not work so you error has a differant cause to find out what do what Christian Graus suggested
|
|
|
|
|
Yeah, that's the point. I suggested trying to give that column a value, just in case he's wrong in thinking it's set to be an autonumber column.
Christian Graus - Microsoft MVP - C++
"I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )
|
|
|
|
|
hi Kanel
Sometimes you need to epen a Query analyzer before passing an SQL statement to a command object
the Following is you statement.
.CommandText = "INSERT INTO tblOrgInfo (OrgName, Address) VALUES ('" & Trim(txtOrgName.Text) & "', '" & txtAddress.Text & "'")
if you insert a new record in a table that has an identity Row, you have to do it like this
.CommandText ="INSERT INTO tblOrgInfo
VALUES ('" & Trim(txtOrgName.Text) & "', '" & txtAddress.Text & "'")
Forget about the first column, pretend as if its not there, you can never do anything to it, or update it. i have not look at your code that much but i stoped looking at this line, and this was not correct
Vuyiswa Maseko
|
|
|
|
|
i have Combobox,And i have Populated it like this in my form load
<br />
cmbconfidence.Items.Add("1")<br />
cmbconfidence.Items.Add("2")<br />
cmbconfidence.Items.Add("3")<br />
cmbconfidence.Items.Add("4")<br />
cmbconfidence.Items.Add("5")<br />
cmbconfidence.Items.Add("6")<br />
cmbconfidence.Items.Add("7")<br />
And Later i decided to Add more options to it and my code looks like this now
<br />
cmbconfidence.Items.Add("0")<br />
cmbconfidence.Items.Add("1")<br />
cmbconfidence.Items.Add("2")<br />
cmbconfidence.Items.Add("3")<br />
cmbconfidence.Items.Add("4")<br />
cmbconfidence.Items.Add("5")<br />
cmbconfidence.Items.Add("6")<br />
cmbconfidence.Items.Add("7")<br />
cmbconfidence.Items.Add("8")<br />
cmbconfidence.Items.Add("9")<br />
cmbconfidence.Items.Add("10")<br />
cmbconfidence.Sorted = True<br />
cmbconfidence.DropDownStyle = ComboBoxStyle.DropDownList<br />
<br />
But in my list when i run my application its not Sorted. Option 10 is not the last one and option 0 is not the first one. i need to put them in Order.
How do i archive this?
Thanks
Vuyiswa Maseko
|
|
|
|
|
Hi,
when Sorted=true, the combobox will sort the items alphabetically, which means
10 goes in between 0 and 2 (just like bbbbb goes in between aa and cc).
Now if you are specifying the items as literal strings, in the order you want them,
then I suggest you don't set Sorted true, since that will mess it up for you.
If you need to populate dynamically and have a special sort order in mind, the
best thing to do is first populate some collection (say an ArrayList), then
call its Sort method (providing a IComparer object), then do databinding from the
collection to the combobox.
Luc Pattyn [Forum Guidelines] [My Articles]
this weeks tips:
- make Visual display line numbers: Tools/Options/TextEditor/...
- show exceptions with ToString() to see all information
- before you ask a question here, search CodeProject, then Google
|
|
|
|
|
Thank man you are a Star
its working
Vuyiswa Maseko
|
|
|
|
|
hi Guys
Is there any live application to search for code, we have lots n lots of sites to get the source codes, why cant we make a web application with a good search engine to search pure text source code, anything related to code.
For eg. store procedure's, HTML, ASP codes, technical text, code-behind, javascript, java codes,
only pure text should be stored, its should be a very simple application with no links, only to maintain and retrieve, there will be no data editing for the users.
uploading of files are not allowed since many technical websites are providing this feature,
The plan
Here the users can store information taken from the internet(pure text) when he/she visits for reference, later he/she need not come to this same link to take the specific code, instead he/she can search the code in this new Code Manager portal,
the user will have to provide the description of code or technical text and each source code should be allocated under different sets,
for eg. if its HTML code, the language should be set as HTML for this source code
How the search works
A search with different criteria should be given..
based on desciption
based on language
based on date stroed
based on unique words,
base on tags
we should make this application very simple to handle
winnie
winnie
|
|
|
|
|
Do NOT spam the site by posting the same question in multiple forums. Pick ONE and stick with it.
|
|
|
|
|
|
hello to ALL,
I am using VB 6.0
how can i get the domain Name/IP under which my mahine works,
Let me explain in depth,
suppose my machine is under BHAHBLAH domain then programatically how can i get that doamin Name/IP
please help...any Hint/link ?
thankx in advance
regards,
koolprasad2003
Be a good listener...Because Opprtunity knoughts softly...N-Joy
|
|
|
|
|
|
i have table named emp
where empid and emp name are the colomns of the table.
now in the vs.2005.
i have taken a dropdown list and label.
in the drop down list i want to show the empid in dropdownlist and based up on the empid the corresponding empname shuld be populate in the label.
can you tell me how to write the code for it in vb.net
|
|
|
|
|
hi Biswa,
on the selected index changed of the DDL u can write this code,
make sure the AutopostBack is true for the DDL
protected void ddEmpID_SelectedIndexChanged(object sender, EventArgs e)
{
try
{
string strEmpName = "SELECT empid,empname FROM tbl_XYZ WHERE empid = '" + ddEmpID.SelectedValue + "'";
SqlCommand comEMP = new SqlCommand(strEmpName, con);
SqlDataReader dr;
con.Open();
dr = comEMP.ExecuteReader();
while (dr.Read())
{
lblEmpName.Text = dr["empname"].ToString();
}
}
catch (Exception ex)
{
Trace.Write(ex.Message);
}
finally
{
con.Close();
}
}
winnie
|
|
|
|