|
|
Don't repost.
Those who fail to learn history are doomed to repeat it. --- George Santayana (December 16, 1863 – September 26, 1952)
Those who fail to clear history are doomed to explain it. --- OriginalGriff (February 24, 1959 – ∞)
|
|
|
|
|
Gosh - you asked your question and didn't receive an answer within 10 minutes, so you asked it again? Next you'll be creating an URGENTZ post!
=========================================================
I'm an optoholic - my glass is always half full of vodka.
=========================================================
|
|
|
|
|
protected void GridView2_SelectedIndexChanged(object sender, EventArgs e)
{
if (GridView2.SelectedIndex == 0)
{
ada = new SqlDataAdapter("select m.member_code,m.Subscriber_code,m.SSN,m.First_name,m.Last_name from member m inner join subscribers s on m.Subscriber_Code=s.Subscriber_Code where m.Subscriber_Code='000000001'", cnn);
}
if (GridView2.SelectedIndex == 1)
{
ada = new SqlDataAdapter("select m.member_code,m.Subscriber_code,m.SSN,m.First_name,m.Last_name from member m inner join subscribers s on m.Subscriber_Code=s.Subscriber_Code where m.Subscriber_Code='000000002'", cnn);
}
if (GridView2.SelectedIndex == 2)
{
ada = new SqlDataAdapter("select m.member_code,m.Subscriber_code,m.SSN,m.First_name,m.Last_name from member m inner join subscribers s on m.Subscriber_Code=s.Subscriber_Code where m.Subscriber_Code='000000003'", cnn);
}
if (GridView2.SelectedIndex == 3)
{
ada = new SqlDataAdapter("select m.member_code,m.Subscriber_code,m.SSN,m.First_name,m.Last_name from member m inner join subscribers s on m.Subscriber_Code=s.Subscriber_Code where m.Subscriber_Code='000000004'", cnn);
}
if (GridView2.SelectedIndex == 4)
{
ada = new SqlDataAdapter("select m.member_code,m.Subscriber_code,m.SSN,m.First_name,m.Last_name from member m inner join subscribers s on m.Subscriber_Code=s.Subscriber_Code where m.Subscriber_Code='000000005'", cnn);
}
if (GridView2.SelectedIndex == 5)
{
ada = new SqlDataAdapter("select m.member_code,m.Subscriber_code,m.SSN,m.First_name,m.Last_name from member m inner join subscribers s on m.Subscriber_Code=s.Subscriber_Code where m.Subscriber_Code='000000006'", cnn);
}
DataTable dt = new DataTable();
ada.Fill(dt);
GridView1.DataSource = dt;
GridView1.DataBind();
|
|
|
|
|
It's still unclear what you are trying to accomplish. The only thing I got from this is you have GridView1 and GridView2 and on SelectedIndexChanged event of GridView2, you are updating GridView1.
Can you try to explain where are you stuck and what have you tried?
Whether I think I can, or think I can't, I am always bloody right!
|
|
|
|
|
Why not use language features to simplify your code, rather than all these if statements with most of the same information repeated.:
string sqlCommand = string.Format("select m.member_code,m.Subscriber_code,m.SSN,m.First_name,m.Last_name from member m inner join subscribers s on m.Subscriber_Code=s.Subscriber_Code where m.Subscriber_Code='{0:000000000}'", GridView2.SelectedIndex + 1);
ada = new SqlDataAdapter(sqlCommand, cnn);
That works for all values of the selected index.
|
|
|
|
|
Please don't suggest using string-concatenation, string.Format , or a StringBuilder to build a SQL query, even in simple cases where the only parameter is a number.
string sqlCommand = "select m.member_code, m.Subscriber_code, m.SSN, m.First_name, m.Last_name from member m inner join subscribers s on m.Subscriber_Code = s.Subscriber_Code where m.Subscriber_Code = @Code";
ada = new SqlDataAdapter(sqlCommand, cnn);
ada.SelectCommand.Parameters.AddWithValue("@Code", (GridView2.SelectedIndex + 1).ToString("000000000"));
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
modified 17-Apr-14 11:49am.
|
|
|
|
|
You obviously have no idea what string concatenation means.
|
|
|
|
|
Doesn't it simply mean that you add two strings together?
static void Main(string[] args)
{
string param = "';GO;DROP TABLE Members;--Have a nice day!";
string sqlCommand = string.Format("select m.member_code,m.Subscriber_code,m.SSN,m.First_name,m.Last_name from member m inner join subscribers s on m.Subscriber_Code=s.Subscriber_Code where m.Subscriber_Code='{0:000000000}'", param);
Console.WriteLine(sqlCommand);
Console.ReadKey();
}
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Richard MacCutchan wrote: You obviously have no idea what string concatenation means.
And you obviously have no idea how to write a SQL query!
Just because you're using string.Format to build your dynamic SQL rather than concatenating strings, that doesn't mean it's not susceptible to SQL injection. The ONLY way to avoid SQL injection is to use parameterized queries.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Sorry, but you obviously do not understand how SQL injection works. The command I provided to OP was in no way susceptible.
|
|
|
|
|
Richard MacCutchan wrote: you obviously do not understand how SQL injection works
And you "obviously do not understand" how a civilized conversation works! Let's agree to drop the insults and concentrate on the code.
The problem is not that the query you posted is susceptible to SQLi; the problem is that it encourages users to think that string.Format is a good way to build any SQL query, without understanding the details of why your particular query is immune. They will then use your code sample as the definitive way of putting parameters into a SQL query, which will result in SQLi vulnerabilities in their code.
It's not difficult to use parameterized queries in ADO.NET, so there's no reason not to use them for every query, even when you're absolutely certain that string.Format or string concatenation would not introduce a vulnerability.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Richard Deeming wrote: And you "obviously do not understand" how a civilized conversation works! Sorry, but I did not start this.
Richard Deeming wrote: it encourages users to think that string.Format is a good way to build any SQL query, without understanding the details of why your particular query is immune. No, it does nothing of the sort. It is a single example of how a string.Format statement can be used to create a string when a variable value is to be inserted at a particular point. You chose to make an assumption which has nothing to do with what I wrote, in particular the fact that inserting a formatted digit into a string has in no way anything to do with SQL injection.
|
|
|
|
|
Richard MacCutchan wrote: Sorry, but I did not start this.
Richard MacCutchan wrote: You obviously have no idea what string concatenation means.
That looks like the start to me, but whatever gets you through the day.
Richard MacCutchan wrote: It is a single example of how a string.Format statement can be used to create a string when a variable value is to be inserted at a particular point.
I'll assume you've never heard of Cargo cult programming[^] then?
Whenever you give a novice developer a "single example", particularly where you've taken a shortcut because you know that this particular example doesn't necessarily need the full and correct approach, that example will get copied and adapted by people who have no idea what the correct approach is, and don't understand the limitations of your shortcut. Before you know where you are, that "single example" is littered throughout their code-base, and used in ways that will introduce SQLi vulnerabilities.
The simplicity of using parameterized queries in ADO.NET means that there is never an excuse for doing it the "wrong" way, even in a short throwaway example, even if you are absolutely certain that your example is invulnerable to SQLi.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
|
Something like ...
if (gridView1[0][2].Value == gridView2[0][2].Value)
|
|
|
|
|
I want to make a page where user can upload photos like a photogallery ..how can i implement that ..if that user have a particular profile picture what is the implementation?
|
|
|
|
|
|
i have a cusotmer class that contains some attributes like
public class dummy {
public string name {get; set;}
public string value {get; set;}
public dummy(string name, string value = string.empty)
{
this.name = name;
this.value = value;
}
public static implicit operator dummy(string value)
{
stackframe?
return new dummy();
}
}
in other modules, has some codes
dummy _foo = new dummy("Json");
_foo = "Hello";
question is: can i get the _foo object in implicit operator method? so i can keep "Json"
attribute, thanks for advance
|
|
|
|
|
Jon Skeet: "Custom conversions are only very occasionally useful, just like user-defined operators."
Yes, you can do this:
public static implicit operator dummy(string value)
{
return new dummy("????", value);
} And now you have a way to create a new instance of the Class 'dummy with the optional string parameter 'value defined: but, what does that really do for you ? Your intention in designing the code was to require a 'name parameter, and now you have a 'dummy with "????" for a name: is that useful ?
This is just duplicating (poorly) using the regular public dynamic Class constructor, and this is not what 'implicit is meant to be used for, which is user-defined conversion facilities that make it easy to write code that does not require explicit casting.
imho, using the 'implicit keyword to just short-cut some aspect of constructing a new instance of a Class is a very bad "code-smell."
'implicit methods must be static, as you know; that means there can be one-and-only one "instance" of the method which is a method of the Type of the Class, not of instances of the Class.
That means that inside an 'implicit method you have no ability to "know" what the current instance of the Class in which the 'implicit method was called from is: the keyword 'this is not available.
Since you can pass only one parameter into an 'implicit method, you can't pass both a reference to an instance of the Class, and some value (in this case a string) that you want to use (in this case to assign to an internal field in the Class).
So, why not just do the "easy" thing when you want to assign to your 'value field:
dummy _foo = new dummy("Json");
_foo.value = "Hello"; By the way: in your Class' constructor:
public dummy(string name, string value = string.empty) is incorrect: spelling error.
And if you used: public dummy(string name, string value = string.Empty) that would throw a compile error: optional parameters need to have compile-time constant initial values. This would work:
public dummy(string name, string value = "")
... or ...
public dummy(string name, string value = default(string))
“I speak in a poem of the ancient food of heroes: humiliation, unhappiness, discord. Those things are given to us to transform, so that we may make from the miserable circumstances of our lives things that are eternal, or aspire to be so.” Jorge Luis Borges
modified 17-Apr-14 0:34am.
|
|
|
|
|
Thanks BillWoodruff
but class dummy just dummy the main point is when
dummy _foo = new dummy("Json");
_foo.value = "Hello";
can i get _foo object in implicit operator method?
|
|
|
|
|
Thanks BillWoodruff
Yes, you can do this:
public static implicit operator dummy(string value)
{
return new dummy("????", value);
}
And now you have a way to create a new instance of the Class 'dummy with the optional string parameter 'value defined: but, what does that really do for you ? Your intention in designing the code was to require a 'name parameter, and now you have a 'dummy with "????" for a name: is that useful ?
sample dummy is simple, only has one attribute : name, real class have maybe hundreds attributes or even more and some of these attributes are private, so can't use attributes set, and use other functions like _foo.setValue("Hello") is not allowed
|
|
|
|
|
Clear, clean, object-oriented design is an art and skill that takes time to develop.
Fields, and Properties, of Classes should be designed to clearly express the intent of the program, and the structure of flow-of-control.
Use Private/Public Fields, and Public Properties for specific, carefully chosen, reasons. Usually you make a Field (a variable of some Type) private because you don't want it exposed to change outside the Class it is defined in.
Similarly, you may define a Property with a private set, and a public get, to allow all consumers of instances of the Class to get the value of the Property, but only code inside the context/scope of the Class in which the Property is defined to set/change the value.
Anytime you design a Class with "hundreds of attributes," I think there's a good chance that the Class needs to re-designed, possibly decomposed into a set of inter-related smaller Classes.
I think you are kind of off-track here in exploring this type of use of the 'implicit operator.
good luck, Bill
“I speak in a poem of the ancient food of heroes: humiliation, unhappiness, discord. Those things are given to us to transform, so that we may make from the miserable circumstances of our lives things that are eternal, or aspire to be so.” Jorge Luis Borges
|
|
|
|
|
uh shame on me
i looked through my question:
sample is wrong,correct code is:
dummy _foo = new dummy("Json");
_foo = "Hello"
so _foo's attribute name must be kept in new dummy from implicit operator
thanks for advanced
|
|
|
|
|
I was wondering if there was a simple way to do a conversion from a typed list of type A that implements interface B, to a list of interface B. For the time being, I'm using an extension to do this, but I think it might be hard to understand by a novice developer who might review my code later on. Here is what I have:
So wondering, if anyone could simplify it a bit?
public static List<InterfaceType> ConvertClassItemToInterfaceItem<InterfaceType, ClassType>(this List<ClassType> originalist) where ClassType : InterfaceType
{
List<InterfaceType> list = new List<InterfaceType>();
foreach(ClassType value in originalist)
{
InterfaceType itype = value;
list.Add(itype);
}
return list;
}
Edited to give example on how to use extension method:
interface B{}
class A : B{}
class C{
List Test()
{
List<A> list = new List<A>;
return list.ConvertClassItemToInterfaceItem<B,A>()
}
}
modified 16-Apr-14 13:20pm.
|
|
|
|
|