Click here to Skip to main content
15,898,371 members
Home / Discussions / C#
   

C#

 
Generalload values into the dataset form the xml Pin
dhol30-Dec-04 19:11
dhol30-Dec-04 19:11 
GeneralProgrammetically Selection of Language Pin
SoloVision30-Dec-04 18:22
SoloVision30-Dec-04 18:22 
GeneralRe: Programmetically Selection of Language Pin
Heath Stewart30-Dec-04 20:14
protectorHeath Stewart30-Dec-04 20:14 
Generalprogramticly scroll a richtextbox Pin
Tyrus18230-Dec-04 14:46
Tyrus18230-Dec-04 14:46 
GeneralRe: programticly scroll a richtextbox Pin
Heath Stewart30-Dec-04 20:06
protectorHeath Stewart30-Dec-04 20:06 
Generalusing non true type or open type fonts Pin
Tyrus18230-Dec-04 14:43
Tyrus18230-Dec-04 14:43 
Questionwhat is wrong here ? Pin
kings_130-Dec-04 11:38
kings_130-Dec-04 11:38 
AnswerRe: what is wrong here ? Pin
Heath Stewart30-Dec-04 12:06
protectorHeath Stewart30-Dec-04 12:06 
Where do I begin? First of all, why are you using the literal string operator @? The way you're using it doesn't add anything to your statements because they only matter at compile time and will not automatically escape what you have in your text boxes, etc. They simply mean that when the source is compiled the string at that point will not expand escape sequences and can span lines until terminating with another double-quote.

Second, NEVER use string concatentation to build SQL queries. All someone has to do is insert the following into one of your text boxes and you're 0wned:
2 or 1=1; delete from CompTax --
Now you're CompTav table is gone. Worse can happen, and don't think people won't figure it out because disassemblers and decompilers are readily available and obfuscation helps little for seasoned pros. ildasm.exe - a disassembler - even comes with the .NET Framework SDK.

Also use parameterized queries:
cmd.CommandText = @"UPDATE CompTax SET
TeorBohen = @TeorBohen,
TechName = @TechName,
TipolDate = @TipolDate,
TipolStartHouse = @TipolStartHour,
Statos = @Statos
WHERE CartisNum = @CartisNum";
cmd.Parameters.Add("@TeorBohen", SqlDbType.NVarChar, 40).Value =RbTeorBohen.Text;
cmd.Parameters.Add("@TechName", SqlDbType.NVarChar, 128).Value = tbTech.Text;
cmd.Parameters.Add("@TipolDate", SqlDbType.DateTime).Value = dt1;
// ... on and on ...
try
{
  conn.Open();
  cmd.ExecuteNonQuery();
}
finally
{
  conn.Close();
}
Notice how we even assign the appropriate types to the parameters? Not only does using parameters strengthen your security (this eliminates most - if not all - SQL injection attacks) but makes it easier to execute commands. You don't have to worry about encoding your commands anymore like you do with ASP, PHP, etc. This makes batch updates a breeze, too: add the parameters once, then loop through your values setting each parameter, executing the command, then repeating.

EDIT: The above parameter syntax is for SQL Server. Oracle uses ":name" and the OLE DB provider uses only "?" (unnamed; you have to add the OleDbParameters in order of how "?"'s are declared in the SQL expression). Read about the variable IDbCommand implementations like SqlCommand, OleDbCommand, etc., and their respective Parameters properties, for more information.

This posting is provided "AS IS" with no warranties, and confers no rights.

Software Design Engineer
Developer Division Sustained Engineering
Microsoft

[My Articles] [My Blog]
GeneralRe: what is wrong here ? Pin
kings_130-Dec-04 19:46
kings_130-Dec-04 19:46 
GeneralRe: what is wrong here ? Pin
Heath Stewart30-Dec-04 20:01
protectorHeath Stewart30-Dec-04 20:01 
GeneralRe: what is wrong here ? Pin
kings_131-Dec-04 0:59
kings_131-Dec-04 0:59 
GeneralRe: what is wrong here ? Pin
Heath Stewart31-Dec-04 6:10
protectorHeath Stewart31-Dec-04 6:10 
GeneralRe: what is wrong here ? Pin
kings_131-Dec-04 7:15
kings_131-Dec-04 7:15 
GeneralRe: what is wrong here ? Pin
Heath Stewart31-Dec-04 8:05
protectorHeath Stewart31-Dec-04 8:05 
GeneralHidden Window Screenshot Pin
eggie530-Dec-04 10:21
eggie530-Dec-04 10:21 
GeneralRe: Hidden Window Screenshot Pin
Heath Stewart30-Dec-04 11:53
protectorHeath Stewart30-Dec-04 11:53 
GeneralRe: Hidden Window Screenshot Pin
eggie530-Dec-04 16:40
eggie530-Dec-04 16:40 
GeneralRe: Hidden Window Screenshot Pin
Heath Stewart30-Dec-04 19:51
protectorHeath Stewart30-Dec-04 19:51 
Generalgenerate a random number of the bignumber Pin
asmyan30-Dec-04 9:18
asmyan30-Dec-04 9:18 
GeneralRe: generate a random number of the bignumber Pin
Heath Stewart30-Dec-04 9:45
protectorHeath Stewart30-Dec-04 9:45 
GeneralRe: regarding dundas evaluation version Pin
Heath Stewart30-Dec-04 9:14
protectorHeath Stewart30-Dec-04 9:14 
GeneralSorry for asking such a question Pin
asmyan30-Dec-04 17:29
asmyan30-Dec-04 17:29 
GeneralRe: Sorry for asking such a question Pin
Heath Stewart30-Dec-04 19:53
protectorHeath Stewart30-Dec-04 19:53 
GeneralRe: regarding dundas evaluation version Pin
Nick Parker30-Dec-04 9:40
protectorNick Parker30-Dec-04 9:40 
GeneralProblem running release build on non-development machine Pin
rahmanasdf30-Dec-04 7:16
rahmanasdf30-Dec-04 7:16 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.