Avoiding SQL Injections

TheMSsForum.com: The Microsoft Software Forum

The MSS Forum ‹ Ado
- Archive
  - Biz
  - MCSE
  - CRM
  - Drivers
  - Framework
  - ADO
  - ASP
  - Compact
  - Forms
  - Dotnet
  - C#
  - VB
  - FontpageGen
  - Excel
  - WorkSheet
  - Exchange
  - Setup
  - Fox
  - Fontpage
  - ASP
  - IIS
  - Entourage
  - Money
  - Messanger
  - PocketPC
  - Powerpoint
  - Project
  - Publisher
  - Excel
  - VB
  - Security
  - Portal
  - Services
  - SQLServerDev
  - SVCS
  - SQLServer
  - VB
  - VC
  - MFC
  - ExcelGen

- Previous
  - 1
    - Cast from untyped to typed DataRow I have a typed DataSet and I execute the Select Methd on one of the DataTables. Later I have to assign the first row returned by this Select (which is a plain, untyped DataRow) to a typed DataRow variable. I use cast, but it fails at runtime: "Specified cast is not valid".Is there any way around? Am I doing something wrong? Tag: Avoiding SQL Injections Tag: 106819
  - 2
    - ADO time limit bug: DB connecting to itself Dear all, I would be grateful for any help with this issue. I have written the code below which is executed by a button on a form in an Access 2000 database in windows 2000. The idea is programmatically to copy a table called tblPubs (a table of newspapers) into a local database shell in order to allow new publications to show up, and essentially retrieve the most up to date version of the database for the remote user (i.e. a remote database "synchs" with a master database in a different office, but through a dial-up connection). The problem is extraordinary. I am using ADO (which is relatively new to me). I simply want to delete existing local tblPubs and copy remote tblPubs into this database. I am using the SELECT INTO sql statement below, and it creates the table OK, but when I set the primary key / or simply put an index on a column (using in all cases the Command object), it *only works from time to time*. The crucial factors seems to be that a) it always works if I step through the code step by step SLOWLY b) it occasionally works if I wait a few seconds before adding the index / primary key. Am I right in thinking that MS Access 2000 is taking time to refresh the ADO connection to itself and that I would have to put all of this code into a new, third file which simply executes instructions on otherwise unopened databases? Or, is there a way to "refresh" the CurrentConnection object? The error message, by the way, is simply that it cannot "find" the new tblPubs, and hence it is unablee to create an index / primary key in it. The code is pasted below as two functions: one to copy the table and one to create the index. I dearly hope that someone has come across this before and is able to help me! Many thanks, Gwyn -- Gwyn Evans Database Developer Private Sub btnGetLatestTables_Click() On Error GoTo Err_btnGetLatestTables_Click 'Gets the latest tblPubs Dim cnxRemoteMedia As ADODB.Connection Dim cnxLocalMedia As ADODB.Connection Dim strDbLocal As String Dim strDbMaster As String Dim strCnxBase As String Dim rstMaster As ADODB.Recordset Dim objCom As ADODB.Command Dim objLocalCommand As ADODB.Command strCnxBase = "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=" strDbMaster = "\\srv3\Databases\New Media And Press Cuttings\MediaTest.mdb" strDbLocal = "c:\Gwynevans\New Media And Press Cuttings\SarahGodley_V3.mdb" Set cnxLocalMedia = CurrentProject.Connection Set cnxRemoteMedia = New ADODB.Connection cnxRemoteMedia.Open strCnxBase & strDbMaster Set objCom = New ADODB.Command With objCom .ActiveConnection = cnxRemoteMedia End With Set objLocalCommand = New ADODB.Command With objLocalCommand .ActiveConnection = cnxLocalMedia .CommandText = "DROP TABLE tblPubs" .CommandType = adCmdText .Execute End With With objCom .CommandText = "SELECT * INTO tblPubs IN " & Chr(34) & strDbLocal & Chr(34) & "FROM tblPubs" .CommandType = adCmdText .Execute End With Set objLocalCommand = Nothing cnxLocalMedia.Close Set cnxLocalMedia = Nothing 'Set rstMaster = New ADODB.Recordset ' rstMaster.Open "tblPubs", cnxRemoteMedia, adOpenForwardOnly, adLockReadOnly, adCmdTable ' rstMaster.MoveFirst ' MsgBox rstMaster!PubID & ", " & rstMaster!Publication Set objCom = Nothing cnxRemoteMedia.Close Set cnxRemoteMedia = Nothing MsgBox "I have replaced the Publications table", vbInformation, "Remote Synched" Exit_btnGetLatestTables_Click: Exit Sub Err_btnGetLatestTables_Click: MsgBox Err.Description Resume Exit_btnGetLatestTables_Click End Sub Private Sub btnRecreateIndex_Click() DoCmd.Hourglass True Me.TimerInterval = 3 * 1000 ' 3 secs DoCmd.Hourglass False Dim cnxDoIndex As ADODB.Connection Dim objLocalIndex As ADODB.Command 'Now re-open it to create the index! Set cnxDoIndex = CurrentProject.Connection Set objLocalIndex = New ADODB.Command With objLocalIndex .ActiveConnection = cnxDoIndex .CommandText = "ALTER TABLE tblPubs ADD PRIMARY KEY (PubID)" '.CommandText = "CREATE INDEX PubIndex ON tblPubs (PubID)" .CommandType = adCmdText .Execute End With cnxDoIndex.Close Set cnxDoIndex = Nothing MsgBox "Index Recreated", vbInformation, "Synch complete" End Sub Tag: Avoiding SQL Injections Tag: 106817
  - 3
    - Retrieving new information Hi, I'm an ADO.NET beginner. I have an application in which all my database updates are done on the main form. It includes numerous dialogs which access the dataset information, then the dataset is updated when returning to the main form. If one user goes to one form and edits new data and enters new rows, the database itself is updated accordingly, but that new information is not retrieved by other users. How can I fill the dataset with new/different information entered by other users without clearing all the dataset tables and refilling them? Thanks, Nathan Tag: Avoiding SQL Injections Tag: 106812
  - 4
    - How to add and call multiple subreports from the header report Hi, I have to add three sub reports to a single report based on three different field values so Can I add several sub reports to a single report if yes then how. Please send the detail flow. Eagerly waiting for response. Almannan M. K. Tag: Avoiding SQL Injections Tag: 106810
  - 5
    - Transaction context in use by another session We are getting this error intermittently and I have failed to find find a solution since I don't fully understand the issue. All I can gather is that the transaction is running too long and this is the cause of the problem (?) If someone could suggest a solution I would really appreciate it, or give more clues on the cause of the error. Shortening the time the transaction runs is not really possible since we use a payment gateway which can take up to 2-3 minutes. PL. Tag: Avoiding SQL Injections Tag: 106809
  - 6
    - Concurrent Connections / Shared Transaction Greetings, I have two SqlCommands objects that each need to execute concurrently but I want them both to be a part of the same transaction. What I'm doing is created one SqlCommand and Beginning a transaction. I have another SqlCommand that is being executed from within an Asynchronous delegate that needs to participate in the same transaction. The problem is that I get the infamous exception stating that the connection is already in use. COM+ is not an answer here. What I want to know is if there is a way to make this work correctly using only ADO.NET? Thanks, Shawn Tag: Avoiding SQL Injections Tag: 106807
  - 7
    - Dataset Hi, I am searching for file name in database. From SQL Server Stored Procedure i get data into DataAdapter. From DataAdapter i fill into dataset, and i show the records in datagrid. From 2 lakh record, my stored procedure checks for validation and give me 10 records. It takes much time. So i am planning to fetch all records into dataset when application starts(in a seperate thread). This dataset remains until i close my application. For searching i can going to use filter. So, my question is... When i store 2 lakh record in dataset, Will it reduce the performance? Where does this dataset temporarily store 2 lakh record? Is it advisable to fetch all records in dataset in a separate thread? Thanking you in advance Regards S. Krishna Kumar Tag: Avoiding SQL Injections Tag: 106806
  - 8
    - Sceppa's ADO.Net Bible Question In Chap 13 David shows you how to bind a second form to the same data source by passing the CurrencyManager as an arg to the EditDetail Method of the second form: Public Sub EditDetail(byval CM as CurrencyManager) drvDetail = Ctype(CM.Current, DataRowView) vueDetail = drvDetail.DataView Me.BindingContext(vueDetail).Position = CM.Position I have run into a problem that I am really stumped on - if the CM passed in has no Current position, which would be the case if you were possibly adding the first row to a child table, then you can not get at the DataView. Is there some other way to get to the DataView? This is also a problem I am faced with when I have a DataView of a parent table and use the following code to bind children where the DataMember is a relationship: With grdGuestContacts .DataSource = oParentsView .DataMember = "tblGueststblGuestContacts" CM = CType(Me.BindingContext(.DataSource, .DataMember), CurrencyManager) end with If the child table has no records there is no way (that I know of) to get at the DataView in order to disable AllowNew because CM.Current is NOT on a current record. Any ideas? -- -------------------------- Thanks - Jay Pondy -------------------------- We see the world, not as it is, but as we are. Tag: Avoiding SQL Injections Tag: 106800
  - 9
    - General network error from SQL Server Hi, I have a .NET web application which is distributed across 3 physical tiers. The application and web tier communicate via .NET Remoting. All calls to SQL server is made only from the application tier. Both application and web tier are configured for network load balancing and the SQL Server is configured on a active/passive cluster. All tiers run on Win2K3 and the .NET framework 1.1 is installed on app and web tier. Of late, I have been getting a â??General network errorâ?? from SQL Server, which is thrown as a System.Data.SqlClient.SQLException by the app tier, which is then recorded in the event log. Please find the complete exception stack trace at the bottom of this posting. Due to the â??connection brokenâ?? error, the users experiences severe data loss and query execution failures. In order to give you an idea of how the I use the connections I have included a few lines from my code below. Class SqlDAO { private SqlConnection connection; protected bool isDisposed; public SqlDAO() { isDisposed = false; GetDatabaseConnection(); } public void Dispose() { CloseDatabaseConnection(); isDisposed = true; GC.SuppressFinalize(this); return; } public void Finalize() { if (!isDisposed) { CloseDatabaseConnection(); isDisposed = true; } return; } private void CloseDatabaseConnection() { connection.Close(); connection.Dispose(); } private void GetDatabaseConnection() { try { if (connection == null && isDisposed == false) { connection = new SqlConnection(<SQL_CONNECTION_STRING>); } if (connection != null) { if (connection.State != ConnectionState.Open) { connection.Open(); } } } catch(SqlException ex) { throw new DBConnectionFailedException ("Database Connection Failure.",ex); } } private void PrepareCommand( SqlCommand command, SqlTransaction transaction, string storedProcName, SqlParameter[] commandParameters) { // check the status of the database connection GetDatabaseConnection(); // associate the connection with the command command.Connection = connection; // set the command text (stored procedure name) command.CommandText = storedProcName; // if we were provided a transaction, assign it. if (transaction != null) { command.Transaction = transaction; } // set the command type command.CommandType = CommandType.StoredProcedure; // attach the command parameters if they are provided if (commandParameters != null) { AttachParameters(command, commandParameters); } return; } private void AttachParameters(SqlCommand command, SqlParameter[] commandParameters) { foreach (SqlParameter p in commandParameters) { // check for derived output value with no value assigned if ((p.Direction == ParameterDirection.InputOutput) && (p.Value == null)) { p.Value = DBNull.Value; } command.Parameters.Add(p); } } protected DataTable ExecuteDataset(string storedProcName, params SqlParameter[] commandParameters) { // create a command and prepare it for execution SqlCommand cmd = new SqlCommand(); PrepareCommand(cmd, (SqlTransaction)null,storedProcName, commandParameters); // create the DataAdapter & DataSet SqlDataAdapter da = new SqlDataAdapter(cmd); //Create a new data table object DataTable dt = new DataTable(); // fill the DataTable da.Fill(dt); // detach the SqlParameters from the command object, // so they can be used again. cmd.Parameters.Clear(); return dt; } } *************************************************************** class LookupDAO: SqlDAO { Dataset ds; Public LookupDAO() { ds = new Dataset(); } public Dataset SelectUniqueParticipantLastNames(short regionID, short participantStatusID) { try { // Set up parameters (1 input and 1 output) SqlParameter [] arParms = new SqlParameter[3]; // Region ID Input parameter arParms[0] = new SqlParameter("@RegionID", LookupConstants.REGION_ID_DT); arParms[0].Value = regionID; // Participant Status ID Input parameter arParms[1] = new SqlParameter("@StatusID", LookupConstants.STATUS_ID_DT); arParms[1].Value = participantStatusID; // ReturnStatus Output Parameter arParms[2] = new SqlParameter("@ReturnStatus", CommonDBConstants.RETURN_STATUS_DT ); arParms[2].Direction = ParameterDirection.Output; DataTable dt = ExecuteDataset( "Sp_GetParticipantByRegionAndStatus", arParms); if ( int.Parse(arParms[2].Value.ToString()) != 0) return lookupDTO; dt.TableName = TableConstants.PARTICIPANT_TABLE; ds.Tables.Add(dt); } catch(System.Exception ex) { throw new QueryExecutionFailedException("Participant Search Failure",ex); } return ds; } } ************************************************************ ************************************************************ Exception Information ********************************************* Exception Type: System.Data.SqlClient.SqlException Errors: System.Data.SqlClient.SqlErrorCollection Class: 20 LineNumber: 0 Message: General network error. Check your network documentation. Number: 11 Procedure: ConnectionWrite (send()). Server: State: 0 Source: .Net SqlClient Data Provider TargetSite: System.Data.SqlClient.SqlDataReader ExecuteReader(System.Data.CommandBehavior, System.Data.SqlClient.RunBehavior, Boolean) HelpLink: NULL StackTrace Information ********************************************* at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream) at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior) at System.Data.SqlClient.SqlCommand.System.Data.IDbCommand.ExecuteReader(CommandBehavior behavior) at System.Data.Common.DbDataAdapter.FillFromCommand(Object data, Int32 startRecord, Int32 maxRecords, String srcTable, IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataTable dataTable, IDbCommand command, CommandBehavior behavior) at System.Data.Common.DbDataAdapter.Fill(DataTable dataTable) at Us.Idhw.Rms.Biz.Util.SqlDAO.ExecuteDataset(String storedProcName, SqlParameter[] commandParameters) at Us.Idhw.Rms.Biz.Lookup.LookupDAO.SelectUniqueParticipantLastNames(Int16 regionID, Int16 participantStatusID). ************************************************************ ************************************************************I have searched various newsgroups for a resolution but nothing seem satisfactory. I am not sure if this is purely a network, database server, user load or connection pooling problem. Any suggestions and pointers would be greatly appreciated. Thank you. Magdelin Tag: Avoiding SQL Injections Tag: 106799
  - 10
    - Data Access Application Block Question - return param I dont know if this is the correct group to place this question, but it seemed like the most likely. In the DAAB, I dont see any methods that return a parameter. Is there an NonExecuteQuery method where I can use a return parameter? Thanks. -- moondaddy@nospam.com Tag: Avoiding SQL Injections Tag: 106798
  - 11
    - quick question when creating an instance of a Command object can you do mulitple inserts? or would i have to keep creating a new instance each time i wanted a new row? if you can do multiples, how would i instantiate that same obj each time? Dim cmd As New OleDbCommand("Insert into TimeCard2(Empl_id,balance_date,Reg_Hours)VALUES('E1234','3/05/2005','8'")",New OleDbConnection(strConnection)) Dim cmd2 As New OleDbCommand("Insert into TimeCard2(Empl_id,balance_date)VALUES('E4567','3/06/2005','12'")",New OleDbConnection(strConnection)) thanks as usual rik ********************************************************************** Sent via Fuzzy Software @ http://www.fuzzysoftware.com/ Comprehensive, categorised, searchable collection of links to ASP & ASP.NET resources... Tag: Avoiding SQL Injections Tag: 106797
  - 12
    - Attach a DataTable to a DataSet I have a business object that return the list of contacts to the user interface. Here is the code of the method: public DataTable getContact () { // I know, this part should be in the Data Layer... SqlConnection conn = new SqlConnection (...); DataSet dsContact = new DataSet (); SqlDataAdapter adptContact = new SqlDataAdapter ("SELECT * FROM Contact ORDER BY Contact", conn); adptContact.Fill (dsContact, "Contact"); return dsContact.Tables ["Contact"]; } The user interface should get the list and add it to it's DataSet. A control will then be bounded to this list. I have some questions: - Must I pass through a DataSet and a DataAdapter class to fill a DataTable? - I return a DataTable instead of a DataSet because I figure that it is smaller and should be faster. Am I right in this assumption? - When a DataTable (or DataSet) is passed like this between layers, what is really passed between the EXE and the DLL, a XML string or the object is marshalled and passed? - In the user interface, I would like to put all the tables I get like this in a DataSet instead of defining a property for each one, but I can't get the DataSet to add the DataTable. Here is the code: Contact contact = new Contact (); DataTable dtContact = contact.getContact (); dsMain.Tables.Add (dtContact); // Exception is throwed here Any suggestions? TIA Tag: Avoiding SQL Injections Tag: 106795
  - 13
    - Please help Hello, I'm working on a asp.net project under VS-2003. I have created a database project and created some stored procedures. When I run my app, I get the error - "Stored procedure not found". Do I need to make a copy of my SP to the database thru Server Explorer? Also, when I try to put a breakpoint in the SP thru VS, I do not see the red dot that I normally see in the code. Please help. Tag: Avoiding SQL Injections Tag: 106794
  - 14
    - Access through Win2000 workstations Hi, We are installing our app in a customers network. The app is using ADO.NET with .NET Framework 1.1. DB is MSDE. The clients is running Win XP, 2000, ME and NT 4.0. The app is installed on the server and when we start it from the workstations is runs fine on the XP workstations but not on the 2000 and NT 4.0 workstations, where we get the following error message: MyApp.exe - Common Language Runtime Debugging Services Application has generated an exception that could not be handled... Is there a specific installation program for win 2000 and another for XP? I am at the customers site right now so if anybody has an idea it would be very nice to have it fast! Tag: Avoiding SQL Injections Tag: 106792
  - 15
    - Dataset relation on more than one column Hello. How would I go about creating a single relationship between two tables by more that one column? Just specify the same relationship name? Thanks in advance, Mike Tag: Avoiding SQL Injections Tag: 106789
  - 16
    - Failed to connect DB Dear developers, Execption verifying password. Login failed for user 'NT AUTHORITY\NETWORK SERVICE'. my connection is correct... the connection string correct... but i dunno wat wrong wif that... thanks and advice. cheers, Wong CS Tag: Avoiding SQL Injections Tag: 106783
  - 17
    - excel formulas and visual c# .net Hi, I developed an application in visual c# .net This application reades an excel file and displays its contents into a dataGrid (OleDbDataAdapter). What I discovered is that if a cell in excel has a constant, then i can retrieve its contents. Also, if a cell has a formula (e.g. =K10) and K10 has a constant then it is also fine. But if the cell's properties are of Custom type, with type, say hh:mm, then i cannot get the contents to the dataGrid. Do you know why this is happening? Has anyone found a workaround for it? Thanks in advance Kostas -------------------------------- From: Kostas Alifantis ----------------------- Posted by a user from .NET 247 (http://www.dotnet247.com/) <Id>ICkne+DCCUWlYeHpuluf+w==</Id> Tag: Avoiding SQL Injections Tag: 106778
  - 18
    - max pool size reached on dev workstation In the course of debugging applications on my development workstation (ASP.NET 1.1.4322, SQL Server 2000, ADO.NET) the app will sometimes be unable to establish a database connection when I choose Debug->Start. (When stopped during debugging, the code does not always reach the Finally {} block where the connections typically get closed.) I get a timeout error indicating that max pool size may have been reached. Stopping and restarting SQL Server does not clear this problem, and so I have been rebooting. Is there another service that maintains the connection pool, which can be bounced to free the stuck connections? Thanks Timo Tag: Avoiding SQL Injections Tag: 106774
  - 19
    - Commit/Rollback Transaction generates an error. I have table Employee - Code varchar(5) Name varchar(100) Age int Using Ado.Net 1) Create a SQLConnection Object and open the connection. 2) Create a SQLCommand object using that connection. 3) Create a Transaction using SQLConnection.BeginTransaction(System.Data.IsolationLevel.ReadCommitted) 4) Attach the Transaction to the SQLCommand (ie. SQLCommand.Transaction= TransactionObject) 5) Execute an insert statement on the Employee Table using SQLCommand.ExecuteNonQuery() (ie. SQLCommand.CommandText = "Insert into Employee(Code, Name, Age) Values('ABC', 'ABCDEFG', '213')" SQLCommand.ExecuteNonQuery() ) 6) Call another function (eg: test()), which again inserts a record in the same table. This function would raise an sql exception, but we would ignore it in the function. (ie. Private Sub Test(ByRef oCmd As SqlCommand) Try oCmd.CommandText = "Insert into Employee(Code, Name, Age) Values('XYZ', 'XYZDEFG', '213a')" 'This would raise an error since Age is of Type Int oCmd.ExecuteNonQuery() Catch ex As Exception 'Ignore the error and return MsgBox(ex.Message) End Try End Sub ) 7) Issue Commit Statement (ie. TransactionObject.Commit()) This statement raises an error "The COMMIT TRANSACTION request has no corresponding BEGIN TRANSACTION." Source Code : ----------------- Imports System.Data.SqlClient Public Class Form1 Inherits System.Windows.Forms.Form Private oConn As SqlConnection Private oCmd As SqlCommand Private oTran As SqlTransaction #Region " Windows Form Designer generated code " Public Sub New() MyBase.New() 'This call is required by the Windows Form Designer. InitializeComponent() 'Add any initialization after the InitializeComponent() call End Sub 'Form overrides dispose to clean up the component list. Protected Overloads Overrides Sub Dispose(ByVal disposing As Boolean) If disposing Then If Not (components Is Nothing) Then components.Dispose() End If End If MyBase.Dispose(disposing) End Sub 'Required by the Windows Form Designer Private components As System.ComponentModel.IContainer 'NOTE: The following procedure is required by the Windows Form Designer 'It can be modified using the Windows Form Designer. 'Do not modify it using the code editor. Friend WithEvents Label1 As System.Windows.Forms.Label Friend WithEvents Label2 As System.Windows.Forms.Label Friend WithEvents Button1 As System.Windows.Forms.Button Friend WithEvents txtName As System.Windows.Forms.TextBox Friend WithEvents txtAge As System.Windows.Forms.TextBox Friend WithEvents txtCode As System.Windows.Forms.TextBox Friend WithEvents Label3 As System.Windows.Forms.Label <System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent() Me.txtName = New System.Windows.Forms.TextBox Me.txtAge = New System.Windows.Forms.TextBox Me.Label1 = New System.Windows.Forms.Label Me.Label2 = New System.Windows.Forms.Label Me.Button1 = New System.Windows.Forms.Button Me.txtCode = New System.Windows.Forms.TextBox Me.Label3 = New System.Windows.Forms.Label Me.SuspendLayout() ' 'txtName ' Me.txtName.Location = New System.Drawing.Point(112, 40) Me.txtName.Name = "txtName" Me.txtName.Size = New System.Drawing.Size(128, 20) Me.txtName.TabIndex = 0 Me.txtName.Text = "Edward Fernandes" ' 'txtAge ' Me.txtAge.Location = New System.Drawing.Point(112, 80) Me.txtAge.Name = "txtAge" Me.txtAge.Size = New System.Drawing.Size(128, 20) Me.txtAge.TabIndex = 1 Me.txtAge.Text = "123" ' 'Label1 ' Me.Label1.Location = New System.Drawing.Point(16, 40) Me.Label1.Name = "Label1" Me.Label1.Size = New System.Drawing.Size(80, 24) Me.Label1.TabIndex = 3 Me.Label1.Text = "Name" ' 'Label2 ' Me.Label2.Location = New System.Drawing.Point(16, 80) Me.Label2.Name = "Label2" Me.Label2.Size = New System.Drawing.Size(80, 24) Me.Label2.TabIndex = 4 Me.Label2.Text = "Age" ' 'Button1 ' Me.Button1.Location = New System.Drawing.Point(40, 136) Me.Button1.Name = "Button1" Me.Button1.Size = New System.Drawing.Size(144, 23) Me.Button1.TabIndex = 5 Me.Button1.Text = "Add to DB" ' 'txtCode ' Me.txtCode.Location = New System.Drawing.Point(112, 8) Me.txtCode.Name = "txtCode" Me.txtCode.Size = New System.Drawing.Size(128, 20) Me.txtCode.TabIndex = 6 Me.txtCode.Text = "E1111" ' 'Label3 ' Me.Label3.Location = New System.Drawing.Point(16, 8) Me.Label3.Name = "Label3" Me.Label3.Size = New System.Drawing.Size(80, 16) Me.Label3.TabIndex = 7 Me.Label3.Text = "Code" ' 'Form1 ' Me.AutoScaleBaseSize = New System.Drawing.Size(5, 13) Me.ClientSize = New System.Drawing.Size(292, 272) Me.Controls.Add(Me.Label3) Me.Controls.Add(Me.txtCode) Me.Controls.Add(Me.Button1) Me.Controls.Add(Me.Label2) Me.Controls.Add(Me.Label1) Me.Controls.Add(Me.txtAge) Me.Controls.Add(Me.txtName) Me.Name = "Form1" Me.Text = "Form1" Me.ResumeLayout(False) End Sub #End Region 'Employee Table Defintion : 'Code varchar(5) 'Name varchar(100) 'Age int Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click oConn = New SqlConnection("Server=Localhost;user id=sa;password=sa;Initial Catalog=Northwind") oConn.Open() Try oTran = oConn.BeginTransaction(IsolationLevel.ReadCommitted) oCmd = New SqlCommand("", oConn) oCmd.CommandText = "Insert into Employee(Code, Name, Age) Values('" & txtCode.Text & "','" & txtName.Text & "','" & txtAge.Text & "')" oCmd.Transaction = oTran oCmd.ExecuteNonQuery() Call Test(oCmd) 'Call this method which generates an exception, which is ignored. oTran.Commit() 'This will raise an error "The COMMIT TRANSACTION request has no corresponding BEGIN TRANSACTION." Catch ex As Exception MsgBox(ex.Message) Try oTran.Rollback() 'This will raise an error "This SqlTransaction has completed; it is no longer usable." Catch ex1 As Exception MsgBox(ex1.Message) End Try Finally oConn.Close() End Try End Sub Private Sub Test(ByRef oCmd As SqlCommand) Try oCmd.CommandText = "Insert into Employee(Code, Name, Age) Values('ABC', 'ABCDEFG', '213a')" 'This would raise an error since Age is of Type Int oCmd.ExecuteNonQuery() Catch ex As Exception 'Ignore the error and continue MsgBox(ex.Message) End Try End Sub End Class Tag: Avoiding SQL Injections Tag: 106769
  - 20
    - Replacing internal with public in typed dataset? Hi! I would really like to use some of the internal constructors and properties in my typed dataset from another assembly. Does anyone know of a way to do this without writing proxy classes or manually changing the dataset.cs-file everytime it's been generated? Tag: Avoiding SQL Injections Tag: 106766
  - 21
    - Is it possible to set CommandTimeout at connection level? Our app uses third party component and we do not have source code. That component requires as parameter Connection object only and we do not have access to the Command object it creates inside. So if query it generates exceeds 30 seconds timeout exception occurs. Is it possible to set CommandTimeout at connection level? May be there is undocumented ConnectionString options? I can`t find it in MSDN. Please help Thanks in adv Serg Tag: Avoiding SQL Injections Tag: 106761
  - 22
    - Migrating SQLServer DBs to Sybase Hi there, i have to move a bunch of SQLServer DBs onto SYbase. My VB.NEt code uses all the functions in System.Data.SqlClient... do i need to change all my code now for sybase? And do I have to use ODBC? My expeerience here is limited! thanx iva ----------------------- Posted by a user from .NET 247 (http://www.dotnet247.com/) <Id>yhOJtDrRzECG6dxKq4vRlQ==</Id> Tag: Avoiding SQL Injections Tag: 106750
  - 23
    - Controls inside textbox Hi, I have a situation to place the Label controls inside the textbox or rich textbox in winforms. I have done that work using textbox.controls.add method. But when i was typing the characters inside the textbox, the label control is overlapping and this should not happen. Is there any way to work the label as text in the textbox or could any one give me the solution for this situation. Tag: Avoiding SQL Injections Tag: 106739
  - 24
    - Concurrently violation Hi All, I use CommandBuilder to create UpdateCommand. But it raise a "Concurrently violation" error. Could you tell us how to solve this problem. This error rarely happen. private static int Update(string name, DataRow row, string connection) { using(OleDbConnection cn = new OleDbConnection(connection)) { cn.Open(); OleDbCommand cmd = new OleDbCommand(name, cn); OleDbDataAdapter adapter = new OleDbDataAdapter(cmd); cmd.CommandType = CommandType.TableDirect; OleDbCommandBuilder sqlBuilder = new OleDbCommandBuilder(adapter); adapter.UpdateCommand = sqlBuilder.GetUpdateCommand(); return adapter.Update(new DataRow[]{row}); } } Thanks, Hung Tag: Avoiding SQL Injections Tag: 106737
  - 25
    - System.Data.SqlClient.SqlException: Timeout expired. I had large database (transaction record > 1 million) at SQL Server and I trying to load data from SQL Server into Datagrid via ASP.Net 1.1 and ADO.Netx. However, it give error message as below during processing. While I checked at Query Analyser, it take 2 minutes + for search this record and it is working fine. Questions? - What wrong at my coding? How about web.config? - How to resolve this issue? - Why ADO.Net / ASP.Net 1.1 does not support large connection pooling? Please advise. Many thanks. Error Message --------------- Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Data.SqlClient.SqlException: Timeout expired. The timeout period elapsed prior to completion of the operation or the server is not responding. Source Error: Line 90: Try Line 91: rptcon.Open() Line 92: Dim okrd As SqlDataReader = rptcmd.ExecuteReader() Line 93: Line 94: ReportDataGrid.DataSource = okrd ASPX Coding -------------- Dim rptcon As New SqlConnection(ConfigurationSettings.AppSettings("ConnectionString")) Dim rptcmd As New SqlCommand() rptcmd.CommandText = "Select GLDOC, GLDCT, gldate, GLEXA, GLEXR, account_num, amount from f0911" rptcmd.Connection = rptcon Try rptcon.Open() Dim okrd As SqlDataReader = rptcmd.ExecuteReader() ReportDataGrid.DataSource = okrd ReportDataGrid.DataBind() okrd.Close() Finally rptcon.Close() End Try End If Web.Config Coding ---------------------  <configuration> <appSettings> <add key="ConnectionString" value="server=SQLSVR;database=ERP;uid=User;pwd=User;" /> </appSettings> <system.web> <compilation debug="true" /> <authentication mode="Forms"> <forms name="ERP" loginUrl="authentication.aspx" protection="All" path="/" timeout="20"/> </authentication> <authorization> <allow users="user1,user2"/> <deny users="*"/> </authorization> <customErrors mode="Off" /> </system.web> </configuration> Tag: Avoiding SQL Injections Tag: 106736
- Next
  - 1
    - DataView rows - filtered hello, so the DataView object is confusing me. i have a dataset of a bunch of rows, some of white my page needs to filter out before binding. no problem, i make a new dataview, set a filter and then bind the dv to my page. ala: DataView myDV = New DataView(myDS.Tables[0], "Show=1", "ID DESC", DataViewRowState.CurrentRows); myRepeater.DataSource = myDV; ...this is cool and it only shows what its supposed to. however, what confuses me is... when i try to get the first row of my filtered view, i do this: someLabel.Text = myDV.Table.Rows[0][0]; ...i am getting a row that was filtered out! (the first row happens to be one i dont want to show). i had thought the DataView was a new collection of criteria-matching rows. whaaa? guess not. so i have two questions: 1) how does a DataList/Grid/whatever know to exclude binding filtered out items 2) how can i call up a single item from *only* the list of criteria-matching rows? thanks! matt Tag: Avoiding SQL Injections Tag: 106735
  - 2
    - Access query parameters not auto-created in Server explorer Hi all, I'm using an Access DB with a bunch of queries. I've created a web service in VS 2003 and have drag/dropped the queries onto the workspace. This works fine, but the parameters are not auto-created as they are with SQL Server, for example. Does anyone have an idea on what the problem is?? Thanks -------------------------------- From: Tim Young ----------------------- Posted by a user from .NET 247 (http://www.dotnet247.com/) <Id>XYHanVmXq0+rcAwYDhEtkQ==</Id> Tag: Avoiding SQL Injections Tag: 106734
  - 3
    - vb.net 2003 (Type your message here) I want to put the data I enter in my form using vb.net into a database using microsoft access -------------------------------- From: Derrick McDaniel ----------------------- Posted by a user from .NET 247 (http://www.dotnet247.com/) <Id>X5zGJFw8V0mMijW0TaBbmg==</Id> Tag: Avoiding SQL Injections Tag: 106725
  - 4
    - Fast retrieval of BLOB data Hello All, I am trying to retrieve blob data from the database using ADO=2E I= tried using the ADO streams and appendchunk/getchunk methods=2E= These work fine for data upload to the database=2E When I try to= download/retrieve data from the database it is very slow=2E BLOB= objects upto 1=2E5 MB can be downloaded pretty fast but I am= looking at storing/retrieving some large BLOB objects (upto= 20-40 MB) Is there any efficient and fast way that would save me on the= memory and give a good performance at the same time? Thank you very much=2E Best Regards, Purvi -------------------------------- From: Purvi Dholakia ----------------------- Posted by a user from =2ENET 247 (http://www=2Edotnet247=2Ecom/) <Id>G70qHPWVMEy2z+5uGHMcEA=3D=3D</Id> Tag: Avoiding SQL Injections Tag: 106716
  - 5
    - Sending data to access query from Visual .net form Hi There, I have made a query called "Schedule",in access using few tables. Has fields like Order #, Required Date, Quantity ordered etc.. Depending upon the Required date field I provide on the input of the query. The query filters and displays results based on that. I want to use a form using Visual .net. The form would have a calender on it, when the users clicks on a particular date. I want that date to be sent as an input to the Required date field for my "Schedule" and display the result on the form. I have been trying to use Ado.net, but not sure how to send this date information to the query in access. I will really appreciate if somebody can tell me how I can do this. thanks a million. -K Tag: Avoiding SQL Injections Tag: 106711
  - 6
    - Using IDataAdapter to fill a strongly-typed dataset We're using abstract interfaces for the data access in our classes. We're using strongly-typed datasets when using data adapters. We can use a SqlDataAdapter to fill a strongly-typed dataset using the Fill method, but we can't get the same result if we've cast the object to an IDataAdapter's fill method. Is it possible to fill a stronly-typed dataset using the interface? Thanks. --ROBERT Tag: Avoiding SQL Injections Tag: 106706
  - 7
    - Cannot open a password protected access database I am unable to open a password protected Access Database programtically. I have office 2003 installed on my machine. I am using the OleDb namespace in C#. I can open the database in access. I can open the database programatically if I remove the password. Here are the last 3 connection strings I've tried, with the Execption text that was generated for them. Tag: Avoiding SQL Injections Tag: 106702
  - 8
    - DataGrid paint exception when size too small I have a .NET windows forms application with one form displaying data. I have a tree view on the left side and the datagrid on the right side. Tree view allows the user to select verious items and based on that selection the datagrid is bound to the appropriate datasource and table from the database. This works well. The problem comes when I resize my form and the grid portion is not visible or just barely visible. Now when I perform the same operations by selecting various items in the tree I get an exception System.ArgumentException with Message : '0' is not a valid value for 'value'. 'value' should be between 'minimum' and 'maximum'. Source : System.Windows.Forms. This happens when I call SetDataBinding method. When I again resize the form so that the grid is more visible this problem goes away. I have also seen a bizzare display with red cross over the entire grid area when I resize the grid again. Is this a known issue in the datagrid ? Can somebody help me ? Thanks Tag: Avoiding SQL Injections Tag: 106701
  - 9
    - Default Value in Typed Dataset Hello in a strongly typed dataset, we can set defaults for each field. How can we set default for a datetime type field ? If I set it either to: now; Now; Now(), now() or DateTime.Now - it doesn't work. So how do I set it ? Thanks Tag: Avoiding SQL Injections Tag: 106700
  - 10
    - Parameter ?_1 has no default value I'm using the HierCube .net OLAP component from rainbowsoft (http://www.rbwsoft.com/) in a vb winform application (vs2003). The data source is an MS Access 2000 table; the data adapter is of the oledb type; and the sql string has two parameters ala =? At runtime the app provides values for the params like so: oledaPivotData.SelectCommand.Parameters("Conversion").Value = cboConversion.SelectedValue oledaPivotData.SelectCommand.Parameters("Year").Value = cboYear.SelectedValue The cube works fine. However the cube control won't let me access the Dimension Mapping facility, it complains that "Parameter ?_1 has no default value". I'm not sure how to solve this. I've written to the control developers, but they can be slow to respond...and this issue seems to be more generic than specific to this control. I've not been able to find a discussion here that deals with my situation, most other cases are using SPs. Tag: Avoiding SQL Injections Tag: 106698
  - 11
    - Oracle Pipeline function I have a VB.Net application that currently access an Oracle 9i database. We use ref cursors called from stored procedures to pass back recordsets.. I was wondering if it is possible to pass back the data through an Oracle Pipeline function instead? Thanks Tag: Avoiding SQL Injections Tag: 106693
  - 12
    - Question about DataSet.WriteXML method. I have a DataSet in which one row contains a column with a string that has CR or LF characters in it. I am converting this DataSet to XML by calling DataSet.WriteXml(). I would have expected CR and/or LF characters to be translated to numeric character entry values. Instead, they are written out as absolute. How can I ensure that all special characters are translated properly when calling WriteXml? -- ----------------------------------- Ken Varn Senior Software Engineer Diebold Inc. EmailID = varnk Domain = Diebold.com ----------------------------------- Tag: Avoiding SQL Injections Tag: 106692
  - 13
    - When to use MSDE/Sql Server (when using VB.NET) Hi, I'm just wondering when I better should use an Sql Server or when a MSDE. Whet are the advantages of one to another en the limits etc. And this espacially when using them as databases for VB.NET-applications. Any information would be great! Thanks a lot in advance, Pieter Tag: Avoiding SQL Injections Tag: 106687
  - 14
    - Problem with Delete Query and DateTime parameter I want to delete some rows from database table by way: DELETE FROM DOSTEPNE_MIEJSCA WHERE ID_STANOWISKA = 66 AND GODZINA BETWEEN '2001-01-01 08:00:00' AND '2001-01-01 18:00:00' connection.Open(); string zapytanko = "DELETE FROM DOSTEPNE_MIEJSCA WHERE ID_STANOWISKA = 66 AND GODZINA BETWEEN '2001-01-01 08:00:00' AND '2001-01-01 18:00:00'"; OleDbCommand command = new OleDbCommand(zapytanko, connection); command.ExecuteNonQuery(); connection.Close(); where column GODZINA has DateTime data type... Why I get this Except?: "OleDBException was unhandled - Unsuitable type of data in expression of criterion" When I ry this query through the QueryBuilder - ExecuteQuery - I get properly ressult ... Thanks for help... Tag: Avoiding SQL Injections Tag: 106685
  - 15
    - Error... Dear developer, I have experience this error message: System.NullReferenceException: Object reference not set to an instance of an object. at GreenBid_mobile.LoginProc.ValidateLogin(String EmailAdd, String Password) in c:\inetpub\wwwroot\greenbid_mobile\loginproc.asmx.cs:line 108 Here is the code: public string ValidateLogin(string EmailAdd, string Password) { int result; sqlCommand1.Parameters["@usr_Email"].Value=EmailAdd; sqlCommand1.Parameters["@usr_PW"].Value=Password; try { sqlCommand1.Connection.Open(); result=(int)(sqlCommand1.Parameters["@usr_session"].Value); } catch(Exception ex) { return (ex.ToString()); } sqlCommand1.Connection.Close(); if(result==1) return "Login Successfully"; else return "Login Failed"; the error is fall on "result=(int)(sqlCommand1.Parameters["@usr_session"].Value)", my database connectivity no problem.. but the problem keep on occur. Thanks advance whoever tell me the problem.. thanks cheers, Wong CS Tag: Avoiding SQL Injections Tag: 106676
  - 16
    - about GetDate(T-SQL) SELECT GETDATE() July 29 1995 2:50 PM (1 row(s) affected) ---------------------- how can changed this format: 1995-29-05 14:50, Just in storeprocess ? Tag: Avoiding SQL Injections Tag: 106668
  - 17
    - MSSQL - ON DELETE SET NULL Hello NG, Does SQL Server support "ON DELETE SET NULL"? I have a couple of CREATE TABLE / ALTER TABLE commands that are all in one string, separated by ";\r\n", and send them to SQL Server (without transaction context). The SQL itself is created dynamically, but here is a sample (for simplicity, I scrapped irrelevant stuff). I always get an SqlException with as many SqlErrors in it as there are ON DELETE SET NULL occurances. The same thing works with Access, though (with Jet-SQL syntax of course). Or (being a consumer product) is Jet just "fault tolerant" and ignores that? CREATE TABLE TFoo ( ID UNIQUEIDENTIFIER NOT NULL PRIMARY KEY, Bar UNIQUEIDENTIFIER); CREATE TABLE TList ( ID UNIQUEIDENTIFIER NOT NULL PRIMARY KEY ); CREATE TABLE TBar ( ID UNIQUEIDENTIFIER NOT NULL PRIMARY KEY, Foo UNIQUEIDENTIFIER, List UNIQUEIDENTIFIER, FOREIGN KEY (Foo) REFERENCES TFoo(ID) ON DELETE SET NULL, FOREIGN KEY (List) REFERENCES TList(ID) ON DELETE SET NULL); ALTER TABLE TFoo ADD FOREIGN KEY (Bar) REFERENCES TBar(ID) ON DELETE SET NULL; Many thanks, Phil Tag: Avoiding SQL Injections Tag: 106667
  - 18
    - Which one is better one SQL or DataSet Transactions I am developing a project, in that i use SQL Transactions to begin a transaction like if i want to save the details of the user along with the Address first i will save the details of the user and then the address. in my database i have these type of files: Person, user, Address, userAddress : person will have the details like personID, firstName, LastName, SSN . . . and user will userid, PersonID, . . . . and in the same way Address will have a unique AddressID and this adddress id will be corelated in UserAddress. for this type of transactions i use SQL transactions. but when i was going thorough a Micorsoft Enterprise Example : Duwamish i came accross DataSet Transactions. in that, if there are any transactions he first performs all the transactions in the DataSet and then update the database. SQLDataAdapter.Fill(Destination, Source) from the above scenario which one is most reliable. . . Thankyou, Raghuram. Tag: Avoiding SQL Injections Tag: 106666
  - 19
    - Which one is better one SQL or DataSet Transactions I am developing a project, in that i use SQL Transactions to begin a transaction like if i want to save the details of the user along with the Address first i will save the details of the user and then the address. in my database i have these type of files: Person, user, Address, userAddress : person will have the details like personID, firstName, LastName, SSN . . . and user will userid, PersonID, . . . . and in the same way Address will have a unique AddressID and this adddress id will be corelated in UserAddress. for this type of transactions i use SQL transactions. but when i was going thorough a Micorsoft Enterprise Example : Duwamish i came accross DataSet Transactions. in that, if there are any transactions he first performs all the transactions in the DataSet and then update the database. SQLDataAdapter.Fill(Destination, Source) from the above scenario which one is most reliable. . . Thankyou, Raghuram. Tag: Avoiding SQL Injections Tag: 106665
  - 20
    - about the storeprocess ALTER PROCEDURE Login @LName nvarchar(50), @Pwd nvarchar(500) AS declare @myID int SET NOCOUNT ON if exists ( select @myID = ID from kylin_user where lname=@lname and pwd=@pwd ) begin insert into kylin_log(UID,TLogin)values(@myID,Getdate()) end RETURN but it mind that @myID=ID wrong ! what't the errors ? Tag: Avoiding SQL Injections Tag: 106664
  - 21
    - SQL View How to use SQL View via ado.net in asp.net? Any reference at website? Please advise. Tag: Avoiding SQL Injections Tag: 106663
  - 22
    - dispose() how to dispose connection pooling when aspx is discontinued? In VB, the syntax is unload but how about aspx ? Tag: Avoiding SQL Injections Tag: 106662
  - 23
    - How to read from DataReader and Update using DataAdapter I am looking for example of reading one table using datareader and updating another with the values using a dataadapter. Tag: Avoiding SQL Injections Tag: 106658
  - 24
    - CLOB - IN OUT PARAMETER PROBLEM (Type your message here) PROCEDURE dal_get_clob_data ( i_dal_string IN VARCHAR2, io_dal_clob IN OUT CLOB ); An exception threw when I tried to use IN OUT CLOB inspite of the usual work around I did. When it is IN CLOB or OUT CLOB it worked fine but not in case of INOUT CLOB. Is there anyway to do with this? I am using MDAC 2.7 -------------------------------- From: Naren Srini ----------------------- Posted by a user from .NET 247 (http://www.dotnet247.com/) <Id>V9J2gtoMqU6p5kL9A86XGA==</Id> Tag: Avoiding SQL Injections Tag: 106642
  - 25
    - SqlDecimal MaxValue Has anyone noticed that the doc for this says: The value of this constant is 79,228,162,514,162,514,264,337,593,543,950,335 but that it is actually 99,999,999,999,999,999,999,999,999,999,999,999,999? Just thinking that Microsoft has a (minor) documentation error that should be fixed. Tag: Avoiding SQL Injections Tag: 106640

Is the single act of using stored procedures (in place of dynamic SQL) the
only thing you have to do to prevent SQL injection attacks?

Thank you,

Eric

Top

Re: Avoiding SQL Injections by William

William
Sat Mar 12 23:41:00 CST 2005

SQL injection attacks can also be caused by stored procedures that use
EXECUTE SQL commands.

--
____________________________________
William (Bill) Vaughn
Author, Mentor, Consultant
Microsoft MVP
www.betav.com/blog/billva
www.betav.com
Please reply only to the newsgroup so that others can benefit.
This posting is provided "AS IS" with no warranties, and confers no rights.
__________________________________

<Eric> wrote in message news:%23El1JQ3JFHA.1528@TK2MSFTNGP09.phx.gbl...
> Is the single act of using stored procedures (in place of dynamic SQL) the
> only thing you have to do to prevent SQL injection attacks?
>
> Thank you,
>
> Eric
>

Top

Re: Avoiding SQL Injections by Jim

Jim
Sun Mar 13 08:43:37 CST 2005

You can also use Dynamic SQL with parameters as described at
http://www.knowdotnet.com/articles/dynamicsqlparameters.html without using
stored procedures.

<Eric> wrote in message news:%23El1JQ3JFHA.1528@TK2MSFTNGP09.phx.gbl...
> Is the single act of using stored procedures (in place of dynamic SQL) the
> only thing you have to do to prevent SQL injection attacks?
>
> Thank you,
>
> Eric
>

Top

Re: Avoiding SQL Injections by Eric>

Eric>
Sun Mar 13 11:09:16 CST 2005

Good points. Thank you, Jim and Bill.

Eric

<Eric> wrote in message news:%23El1JQ3JFHA.1528@TK2MSFTNGP09.phx.gbl...
> Is the single act of using stored procedures (in place of dynamic SQL) the
> only thing you have to do to prevent SQL injection attacks?
>
> Thank you,
>
> Eric
>

Top