|
Shanmukeswara Rao wrote:
Str = "ame's account"
Qr= "select * from Tab where fld='" & Str & "'"
I have had this same problem before. You should use parameters in your query. Combining the strings like this is prone to a SQL injection attack also. The way you use a parameter query depends on if you are using MS SQL or ODBC (MS Access) for your database. If you provide more information or more sample of your code I can show you better.
Laterness...
Doug
|
|
|
|
|
My Database is MSAccess,
Earlier I used to solve once this, concatenated with ` symbol before and after the string, now it is not working.
Thanks
Shan
|
|
|
|
|
Str = "ame's account"
Qr = "select * from Tab where fld=?"
Dim cmd As OdbcCommand = New OdbcCommand(Qr, OdbcConnection1)
Dim param1 as OdbcParameter = New OdbcParameter("name", OdbcType.VarChar)
param1.Value = Str
cmd.Parameters.Add(param1)
then execute the command...
Dim dr As OdbcDataReader = cmd.ExecuteReader()
Laterness...
Doug
|
|
|
|
|
You could try checking your strings with this code to eliminate SQL Injection:
<br />
str=replace("ame's account","'","''")<br />
This will replace the single quotation with a double quotation, which is interpreted by SQL parsers as a literal single quotation mark. This would somewhat prevent SQL Injection.
|
|
|
|
|
Nice try, but it won't eliminate any injection attacks. The attack merely has to include his code between two single quotes marks to defeat your method.
The better way, and the most recommended way BY FAR, is to use parameterized queries. The parameter objects look for known injection techniques and takes care of all your argument escaping for you. String concantenation is most definately a poor technique to use with queries.
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|
Regarding the safety of str=replace("ame's account","'","''") , I think it is relatively safe. Whatever way you want to swing it, there is no way that a user can insert a ' that will not be escaped.
my blog
|
|
|
|
|
Just escaping the ' was not the point. The technique was billed as a method to prevent SQL injection attacks, and it's not...
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|
Sorry to split hairs Dave, but...your advice is good, but your facts are wrong.
If you escape every string value in every SQL string that you construct, (and also take care to sanitize all numeric values), then you are in fact safe from SQL injection.
The problem with the escaping approach is that it is difficult to apply consistently. For example, most programmers will neglect to escape values that they obtain from cookies, or the session, or the database. That is a mistake, because users can often affect that data too.
my blog
|
|
|
|
|
I'll accept that.
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|
Hi there. I've got a question on how to program a system that can open a PDF document by opening chapters of a document in the same content document. I'm planning to do something like a PDF viewer which allows only viewing the document based on pages using the Table of COntents. However i'm unsure on how to apply them in .NET. Thx for the help...
|
|
|
|
|
Hi, I just have the project that open PDF file in adobe acrobat reader from our application vb6. It might not answer your question but just give you an idea.
1. In VB6, create a form with one button name Command1.
2. Put the following code on the general declaration section. (It call to the windows API)
Private Declare Function ShellExecuteA Lib "shell32" (ByVal hWnd As Long, _<br />
ByVal Op As String, ByVal file As String, ByVal params As String, _<br />
ByVal directory As String, ByVal ShowCmd As Long) As Long
3. Double click Button1 and write the following code.
Call ShellExecuteA(0, vbNullString, "C:\PDF_File.pdf", vbNullString, _<br />
vbNullString, vbShowNormal)
Note:
* There is no component or reference were added to this project.
* I got an idea from expert-exchange website. But I have changed some option in the code to match my file path.
Roath Kanel
APO-CEDC
Save Children Norway-Cambodia Office
|
|
|
|
|
I have a form layed out in Visual Studio .NET Professional, and I have 30 buttons layed out, I have sound files on the hard drive, and I would like to associate those sounds with those buttons.
So when the Sounds.exe is run, and I press the first button then the sound is automatically played.
Is there a way to link the sound to the button?
And also when I build the .exe file is the sound file added to the .exe file?
I am all new to this, and have created some code from a webpage that talked about embedding sounds, so I used the code as you see below :
Class SoundButton
Inherits Button
'API call for playing sounds in memory
Private Declare Function PlaySound Lib "winmm.dll" (ByVal data() As Byte, _
ByVal hMod As IntPtr, ByVal hwFlags As Integer) As Integer
Private Const SND_ASYNC As Integer = &H1 'Play asynchronously
Private Const SND_MEMORY As Integer = &H4 'Play wav in memory
'The .wav will be stored in this byte array
Private Shared ClickSound As Byte()
Shared Sub New()
'Get running assembly name
Dim NameSpc As String = _
Reflection.Assembly.GetExecutingAssembly().GetName().Name.ToString()
'Look for the button click sound in the resource stream.
'This example has a resource called hello1.wav
Dim WavStrm As IO.Stream = _
Reflection.Assembly.GetExecutingAssembly().GetManifestResourceStream( _
NameSpc + "." + "hello1.wav")
'ReDim the byte array to be the size of the embedded .wav
ReDim ClickSound(CType(WavStrm.Length, Integer))
'Load the .wav from the stream into the byte array
WavStrm.Read(ClickSound, 0, Int(CType(WavStrm.Length, Integer)))
End Sub
'Override the OnClick event to play the sound
Protected Overrides Sub OnClick(ByVal ea As EventArgs)
Call PlayWav(ClickSound)
MyBase.OnClick(ea)
End Sub
'Play embedded .wav resource
Public Sub PlayWav(ByVal WavResource As Byte())
PlaySound(WavResource, IntPtr.Zero, SND_ASYNC Or SND_MEMORY)
End Sub
End Class
The hello1.wav file is the file I wanted to play when i ran the app.
If you want to see my source code you can get it here :
h**p://home.pacific.net.au/~jf3000/sounds.zip
Id appreciate any help at all on this, and just let me know how to get the first button going so I know where to take it from there.
You will have to tell me in the most earliest of beginners terms, cos im still trying to understand something ive only just started.
Someone mentioned in a forum to play a sound use this : PlaySound() but that lost me.
samitha
|
|
|
|
|
If your going to have 30 sounds, don't embedded them as resources, it'll just make compiling your app that much longer, especially if they're large sound files. Just leave them as files. The code is really easy when you don't have all the junk of resources to look through. If your just starting out -> KEEP IT SIMPLE!
Private Declare Ansi Function PlaySound Lib "winmm.dll" Alias "sndPlaySoundA" _
(ByVal lpszSoundName As String, ByVal uFlags As Long) As Long
Private Enum PlaySoundFlags
Sync = &H0
Async = &H1
[Loop] = &H8
NoStop = &H10
NoDefault = &H2
End Enum
Private Sub btnPlaySoundSync_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnPlaySoundSync.Click
Me.Cursor = Cursors.WaitCursor
PlaySound("C:\Program Files\ahead\Nero\Beeth5th.wav", PlaySoundFlags.Sync)
Me.Cursor = Cursors.Default
End Sub
Private Sub btnPlaySoundAsync_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnPlaySoundAsync.Click
Me.Cursor = Cursors.WaitCursor
PlaySound("C:\Program Files\ahead\Nero\Beeth5th.wav", PlaySoundFlags.Async)
Me.Cursor = Cursors.Default
End Sub
This code assumes you have two buttons on your form, named btnPlaySoundSync and btnPlaySoundAsync .
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|
I have a yes/no question in my program. How do I code the messagebox so that after a user clicks yes, something happens, if the user clicks no, something else happens?
|
|
|
|
|
Hi.
When you're opening the MessageBox it returns an DialogResult Value, so you just have to use a simple if.
If (MessageBox.Show(...)) = DialogResult.Yes Then
'...
End If
|
|
|
|
|
|
Hello Everybody
Please tell me how to create dynamic toolbar in VB6.0
Please help me
|
|
|
|
|
Your going to have to be alot more specific about what you want. What do you mean by "dynamic"? Do you want to create a toolbar in your own application or are you adding a toolbar to something like IE, like the Yahoo or Google search bar?
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|
Hi,
Anyone knows how to hide the navigation bar when viewing report in the browser and printing the same thru the browser.
I've tried these options but doesn't work..
crp.ParameterFieldInfo = paramFields
crp.DisplayGroupTree = False
crp.EnableDrillDown = False
crp.HasPageNavigationButtons = False
crp.DisplayToolbar = False
crp.SeparatePages = True
Thanks in anticipation
|
|
|
|
|
Hello EveryBody,
TusharP, here. I designed new ActiveX control. Now I want to assign Align property to this control, so that whenever user drag this control on his/her form, control should be place on left side of Form
PLease help me in this regard
Thnking You
TusharP
|
|
|
|
|
Hi,
I have some data that looks like this:
July Aug Sep Oct Nov Dec
Birmingham 51,278 51,243 45,745 56,785 63,007 91,204
Milton K's 53,030 33,551 151,564 95,891 92,615 94,174
Slough 130,976 165,927 125,353 249,622 71,739 79,665
Channel l80,621 102,442 95,788 100,371 120,712 71,104
and I want to have a graph with a line for each of the 4 locations, and the months placed along the horizontal 'X' axis, and the value placed along the 'Y' axis. If I create the chart in Excel, I get the option to change a radio button from 'Series in Columns' to 'Series in Rows' to show the graph correctly. However, in Crystal Reports (the dot net bundled version) I don't get this option, and the result is that I get 6 lines (one for each month) with one 'X' axis labels specified as the four locations.
This has to be created in crystal reports, but I've tried every option I can find, but can't get the desired output.
Can anyone help please?
Many thanks,
Martin
|
|
|
|
|
To All,
I have a table; have HardwarePrice (Money - datatype). - SQL Server.
I'm doing in ASP.NET, linking to a database; a button where I use to add new item.
Below is error which I have encounted.
------------------------------------------------------------------------------
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.ArgumentException: System.FormatException: Input string was not in a correct format. at System.Number.ParseDecimal(String s, NumberStyles style, NumberFormatInfo info) at System.Decimal.Parse(String s, NumberStyles style, IFormatProvider provider) at System.Convert.ToDecimal(String value, IFormatProvider provider) at System.String.System.IConvertible.ToDecimal(IFormatProvider provider) at System.Convert.ToDecimal(Object value) at System.Data.Common.DecimalStorage.Set(Int32 record, Object value) at System.Data.DataColumn.set_Item(Int32 record, Object value)Couldn't store <> in HardwarePrice Column. Expected type is Decimal.
Source Error:
Line 194: ' add a new blank row to the end of the data
Line 195: Dim rowValues As Object() = {"", "", ""}
Line 196: ds.Tables(0).Rows.Add(rowValues)
Line 197:
Line 198: ' figure out the EditItemIndex, last record on last page
-----------------------------------------------------------------------------
What can I do to stop this error?
Thank you.
|
|
|
|
|
Easy. Your trying to convert empty Strings cast as Objects to numbers like Integer, Decimal, whatever your using. This will not result is zeros. You'r better off setting each value individually with the correct default data, like 0.
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|
Can anyone tell me if it's possible to enbale visual styles in VS IDE addins. I tried EnableVisualStyles before my form loads and a manifest file to no avail. I am assuming that since the addin in running in the VS IDE application space, then this is not possible, but if it's possible, how so.
Thanks for any replies in advance.
Thanks...Greg
|
|
|
|
|
As far as I can tell, VisualStyles won't work inside the IDE.
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|