|
Any variable inserted should be using a parameter. Also strings.
Bastard Programmer from Hell 
If you can't read my code, try converting it here[^]
|
|
|
|
|
con.open();
com.connection = con;
com.commandtext = @"insert into table1 (name,family,id)values('"+textbox1.text+"','"+textbox2.text+"','"+textbox3.text+"')";
com.executenonequery();
con.close();
im using this type of inserting without of sql parameter , so ? is it wrong ?
|
|
|
|
|
mohammadkaab wrote: im using this type of inserting without of sql parameter , so ? is it wrong ?
Yes/no. It's not "wrong" in the sense that it will not compile or run, but it is wrong in the sense of being secure. It's recommended to use parameters to prevent SQL-injection attacks. Concatenating strings is heavily frowned upon, the more there it gives one a headache with formatting dates in different parts of the world.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Try typing the following in textbox3:
Robert');drop table table1;--
Your query now becomes:
insert into table1 (name,family,id)values('me','Corleone','Robert');drop table table1;
That's two queries - one to insert a record, and one to drop the table. The -- comments out the rest of the query.
Congratulations - you've just met little Bobby Tables[^].
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Yes, it is wrong. Very wrong: anyone with access to the page that submits those text boxes, and an educated guess at the type of query they'll be used in, can now execute arbitrary queries against your database with all the permissions of your script (which, if you're allowing SQL injection, you probably haven't closed down properly either).
Using parameterised queries is most important when you accept free text from the user.
|
|
|
|
|
Seriously, as the other have said, doing this is an enormous security hole. You might as well give users direct access to your database.
Now at least three regular members of the site have told you this, hopefully you'll get an idea of how bad it is to do this.
“Education is not the piling on of learning, information, data, facts, skills, or abilities - that's training or instruction - but is rather making visible what is hidden as a seed”
“One of the greatest problems of our time is that many are schooled but few are educated”
Sir Thomas More (1478 – 1535)
|
|
|
|
|
Maybe the OP can tell us what his eventual web site address will be so we can all avoid it?
... and no offense to the OP but there should be some sort of test or something before people are allowed to write code that goes out on the net. What if he is writing a web site for kids and putting together the data access layer like this? I shudder to think about the black hats that would be licking their chops to get at the data with something so trivial as the sql injection attack he is inviting with his code.
|
|
|
|
|
for me the best mode is to use a parameter.
However, you can try to convert image to byte[] and then in string
var str = System.Text.Encoding.Default.GetString(byteArray);
but I'm not sure that it works 
|
|
|
|
|
How do i change user properties.
public string SetAttributesValue()
{
try
{
RunspaceConfiguration rsConfig = RunspaceConfiguration.Create();
PSSnapInException snapInException = null;
PSSnapInInfo info = rsConfig.AddPSSnapIn("Microsoft.Exchange.Management.PowerShell.Admin", out snapInException);
Runspace myRunSpace = RunspaceFactory.CreateRunspace(rsConfig);
myRunSpace.Open();
Pipeline pipeLine = myRunSpace.CreatePipeline();
Command myCommand = new Command("Get-user");
myCommand.Parameters.Add("Identity", sUserName);
pipeLine.Commands.Add(myCommand);
Collection<psobject> commandResults = pipeLine.Invoke();
foreach (PSObject cmdlet in commandResults)
{
}
return commandResults.ToString();
}
catch (Exception Ex)
{
MessageBox.Show(Ex.Message);
}
return null;
}
|
|
|
|
|
hey, i m working on a project , i am developing it in visual studio 2010, c# winforms and devexpress (also trying to change it to WPF MVVM)
its a kind of toolbox, toolbox should be generic i.e. if any new tool added, toolbox should automatically add it (when in network), toolbox and tool both should be auto update (i am using clickonce for this), i am using process.start to run a tool from toolbox (bcz toolbox and tools are loosely coupled), but now the new requirement is, that dlls which are using by different tools should reside with toolbox only and tool should have their reference only (i find it very difficult bcz toolbox is loosely coupled with tool) so if you can suggest anything that can help me to keep all dll with one application (toolbox) and other are only using ref. of it (tools)..or in another solution, if we have tight coupling between toolbox and tools (one solution , multiple project) then how can we achieve this function (dll only at one place) also the autoupdate (because clickonce is not supporting multiple project deployment as far as i know)..any help on this is appreciated.
JP
SSE
|
|
|
|
|
Read up on interfaces; create one in a new dll, and reference that from the toolbox and the tools.
Bastard Programmer from Hell 
If you can't read my code, try converting it here[^]
|
|
|
|
|
thanks you. i am working on the solution you suggest. will post my reply as soon as i get it working.
|
|
|
|
|
Good luck. I'd recommend doing a small testproject in a new and clean solution. That way you can focus on this particular task without being bugged by any other code.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
What about MEF[^]?
Thanks
-Amit Gajjar (MinterProject)
|
|
|
|
|
Hi Amit, thanks for suggestion..i dont know much about MEF, But surely look into this direction as well..
|
|
|
|
|
Hi everyone,
I am creating XML spreadsheet in C# and save it as Excel file (.xls). After creating, I have a excel with the size is: 500KB
But, after opening it and click "save" button without changes, the new size is: 2.5MB
Are there anyone know why and how to fix it ?
Please see my excel file at the link: http://www.mediafire.com/?5irdbchc10nonq4[^]
Thanks and regards,
Tai
|
|
|
|
|
What makes you think this is a problem, you are expecting an xls file to be the same size as a text file!
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Hi RAH,
The changing the size of file after saving the excel file is problem. It make the file slower when opening.
Thanks and regards,
|
|
|
|
|
taibc wrote: It make the file slower when opening
Amazing, imagine that. sorry sarcasm got the better of me.
To test the excel size why don't you copy/paste the data from your sheet to a new sheet, save it and compare the sizes. Only if the new file is not 2.5 mb do you have a problem.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Hi Rah,
I did as your suggestion The new file is 200KB. I haven't known why ? Could you please open and check that file ?
Thanks and regards,
|
|
|
|
|
taibc wrote: Could you please open and check that file
Sorry I am not an excel expert, I suggest you chase this down through the MSDN forums as I would think it is an Excel problem not a c# issue.
Never underestimate the power of human stupidity
RAH
|
|
|
|
|
Yes, thank you.
Maybe there is something wrong with my xml string format
|
|
|
|
|
taibc wrote: I have a excel with the size is: 500KB
But, after opening it and click "save" button without changes, the new size is: 2.5MB
It's by design. XML is exactly that; XML, not a XLS file. If you open it in Excell, it'll parse it correctly. But save it in Excell, and it'll generate an Excell-file (.xls), and not write in your XML-format.
You might want to use a CSV file instead.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
Hi Eddy,
Thank you.
So, I can save xml string as "CSV" file ? But, I am wanting to creat .xls file from xml string.
Do you have any ideas ?
|
|
|
|
|
taibc wrote: But, I am wanting to creat .xls file from xml string.
XML is not a native Excell-format. Creating an .xls file is not the same as dumping your data as Xml and renaming the extension - it will still be XML (even if Excell can read it without problems) and as soon as you save it, it will become a "real" XLS-file. That will contain more than Xml, as it will contain even properties that identify the author.
taibc wrote: So, I can save xml string as "CSV" file ? <layer>But, I am wanting to creat .xls file from xml string.
CSV would behave in a similar way, but at least it'd be very clear that it's no longer an Excell-file 
If you want a "real" Excell file (the large ones), you'll need to create a file using Excel-interop and move the Xml values into a worksheet.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
