I have two data tables and I want to export both data tables as an Excel file having two sheets containing the data of these two data tables.
string myquery = "select * from mytable";
string myquery2 = "select * from blatable";
--making and connection to my db--
try{
cnn.open();
MySqlCommand cmd = new MySqlCommand(myquery, cnn);
{
MySqlDataAdapter sda = new MySqlDataAdapter();
{
sda.SelectCommand = cmd;
mydt = new DataTable();
sda.fill(mydt);
}
}
MySqlCommand cmd1 = new MySqlCommand(myquery2, cnn);
{
MySqlDataAdapter sda = new MySqlDataAdapter();
{
sda.SelectCommand = cmd1;
mydt1 = new DataTable();
sda.fill(mydt1);
}
}
}
Have used SmartXLS for this matter sometime now and its easy to use. Its also fairly documented
http://www.smartxls.com/csharp/workbook.htm#vworkbook-rw-xlsx
Related
There'r many way to protect web app from SQL Injection, but is it 100% guarantee of quality? It seems to me that exists some methods for bypass these protections:for e.g. using comments, encoding, HTTP Parameter pollution maybe, i really don't know, can't find any examples for ASP .NET Core 2.x
code:
public DataTable GetUserDetailsbyId_ParameterizedQuery(string registrationId)
{
DataTable dt = new DataTable();
var connection = "Server=(localdb)\\MSSQLLocaldb; Password=Pass$123;Database=AllSampleCode;Trusted_Connection=True;";
using (SqlConnection con = new SqlConnection(connection))
{
con.Open();
var #query = "select * from Registration where RegistrationId=#RegistrationId";
SqlCommand cmd = new SqlCommand(query, con) { CommandType = CommandType.Text };
cmd.Parameters.AddWithValue("#RegistrationId", registrationId);
SqlDataAdapter da = new SqlDataAdapter();
da.SelectCommand = cmd;
da.Fill(dt);
}
return dt;
}
//////////////////////////////////////////////////////////////////////////////////////
public DataTable GetUserDetailsbyId_StoreProcedure(string registrationId)
{
DataTable dt = new DataTable();
var connection = "Server=(localdb)\\MSSQLLocaldb; Password=Pass$123; Database=AllSampleCode;Trusted_Connection=True;";
using (SqlConnection con = new SqlConnection(connection))
{
con.Open();
SqlCommand cmd = new SqlCommand("Usp_GetUserDetailsByRegistrationId", con);
cmd.Parameters.AddWithValue("#RegistrationId", registrationId);
cmd.CommandType = CommandType.StoredProcedure;
SqlDataAdapter da = new SqlDataAdapter { SelectCommand = cmd };
da.Fill(dt);
}
return dt;
}
I have successfully built connection string and able to populate table data when the database is Access as:
DataTable results = new DataTable();
using (OleDbConnection thisConnection = new OleDbConnection(connectionname))
{
OleDbCommand cmd = new OleDbCommand("SELECT * from TABLE_A", thisConnection); //EDIT : change table name for Oracle
thisConnection.Open();
OleDbDataAdapter adapter = new OleDbDataAdapter(cmd);
adapter.Fill(results);
}
I am new to Oracle though. Can somebody mention what changes to make in above code for Oracle database?
You can try this;
OracleConnection conn = new OracleConnection("Your Connection string");
//Open the connection to the database
conn.Open();
DataSet dataSet = new DataSet();
OracleCommand cmd = new OracleCommand("your select query");
cmd.CommandType = CommandType.Text;
cmd.Connection = conn;
using (OracleDataAdapter dataAdapter = new OracleDataAdapter())
{
dataAdapter.SelectCommand = cmd;
dataAdapter.Fill(dataSet);
}
Hi I'm trying to search filter a datagridview by using a combobox and textbox.
I have successfully done so but it only works properly when I search for the ID column. Other columns just crash display the following message:
You have an error in your SQL syntax; check the manual that
corresponds to your MariaDB server version for the right syntax to use
near 'Name LIKE 'd%'' at line 1
The d letter in that error message is just the letter I was trying to filter the search with.
Could somebody please help me solve this issue?
My code is below
string myConnection = "datasource=localhost;port=3306;username=root;password=;";
MySqlConnection conDatabase = new MySqlConnection(myConnection);
try
{
if (comboBoxSrchPatient.Text == "ID")
{
MySqlCommand cmd = new MySqlCommand("select * from clinic_inventory_system.patient WHERE ID LIKE '" + txtSearchPatient.Text + "%'", conDatabase);
MySqlDataAdapter sda = new MySqlDataAdapter();
sda.SelectCommand = cmd;
DataTable dbdataset = new DataTable();
sda.Fill(dbdataset);
dataPatientGridView.DataSource = dbdataset;
}
else if (comboBoxSrchPatient.Text == "FIRST NAME")
{
MySqlCommand cmd = new MySqlCommand("select * from clinic_inventory_system.patient WHERE First Name LIKE '" + txtSearchPatient.Text + "%'", conDatabase);
MySqlDataAdapter sda = new MySqlDataAdapter();
sda.SelectCommand = cmd;
DataTable dbdataset = new DataTable();
sda.Fill(dbdataset);
dataPatientGridView.DataSource = dbdataset;
}
else if (comboBoxSrchPatient.Text == "LAST NAME")
{
MySqlCommand cmd = new MySqlCommand("select * from clinic_inventory_system.patient WHERE Last Name LIKE '" + txtSearchPatient.Text + "%'", conDatabase);
MySqlDataAdapter sda = new MySqlDataAdapter();
sda.SelectCommand = cmd;
DataTable dbdataset = new DataTable();
sda.Fill(dbdataset);
dataPatientGridView.DataSource = dbdataset;
}
else if (comboBoxSrchPatient.Text == "AGE")
{
MySqlCommand cmd = new MySqlCommand("select * from clinic_inventory_system.patient WHERE Age LIKE '" + txtSearchPatient.Text + "%'", conDatabase);
MySqlDataAdapter sda = new MySqlDataAdapter();
sda.SelectCommand = cmd;
DataTable dbdataset = new DataTable();
sda.Fill(dbdataset);
dataPatientGridView.DataSource = dbdataset;
}
else if (comboBoxSrchPatient.Text == "CONTACT NUMBER")
{
MySqlCommand cmd = new MySqlCommand("select * from clinic_inventory_system.patient WHERE Contact Number LIKE '" + txtSearchPatient.Text + "%'", conDatabase);
MySqlDataAdapter sda = new MySqlDataAdapter();
sda.SelectCommand = cmd;
DataTable dbdataset = new DataTable();
sda.Fill(dbdataset);
dataPatientGridView.DataSource = dbdataset;
}
}
catch (Exception ex)
{
MessageBox.Show(ex.Message);
}
Your field names contains spaces.
To use them in a query your need to enclose them between backticks (ALT+096)
MySqlCommand cmd = new MySqlCommand(#"select * from
clinic_inventory_system.patient WHERE `Last Name` LIKE ....";
Said that, consider, as soon as possible, to change your queries to use a parameterized query
using(MySqlCommand cmd = new MySqlCommand(#"select * from
clinic_inventory_system.patient
WHERE `First Name` LIKE #name", conDatabase);
{
cmd.Parameters.Add("#name", MySqlDbType.VarChar).Value = txtSearchPatient.Text + "%";
MySqlDataAdapter sda = new MySqlDataAdapter();
sda.SelectCommand = cmd;
DataTable dbdataset = new DataTable();
sda.Fill(dbdataset);
dataPatientGridView.DataSource = dbdataset;
}
In this way your code is safer because it is no more possible to build an Sql Injection attack against your db and, if the First Name contains a single quote, you don't have a syntax error again
First of all, with First Name, Last Name and Contact Number, you need to escape the columns correctly.
Since you're using MariaDB, you should use backticks (`) to escape the column names.
Secondly, your Age query fails because you can't perform a LIKE on a numeric column. You should use = (equals).
Hope that helps.
Also, considering switching to prepared statements if you're using data the user has provided directly in your SQL. At the moment, you're open to SQL Injection.
you should listen to Huw Jones.
you dont want to get audited by a security firm and have sql injection problems. Parameterized your query is mySql supports it.
I have two different queries for two different tables I want to show the result in two datagridviews on a form
string query1 = string.Format("select * from Flat where [Flat_No.]='{0}'",flat.Text);
string query2 = string.Format("select * from 1");
SqlCommand cmd = new SqlCommand(query1, con);
SqlCommand cmd1 = new SqlCommand(query2, con1);
dataview frm1 = new dataview(query1,query2); //the form where data is to be displayed
// on form dataview I have two DataGridViews
public dataview(string a,string b)
{
InitializeComponent();
SqlConnection con = new SqlConnection(Class1.getConnectionString);
//connection name
con.Open();
SqlCommand cmd = new SqlCommand(a , con);
cmd.CommandType = CommandType.Text;
SqlDataAdapter da = new SqlDataAdapter(cmd);
DataSet ds = new DataSet();
da.Fill(ds, "ss");
dataGridView1.DataSource = ds.Tables["ss"];
con.Close();
SqlConnection con1 = new SqlConnection(Class1.getConnectionString);
//connection name for query1
con1.Open();
SqlCommand cmd1 = new SqlCommand(b, con1);
cmd1.CommandType = CommandType.Text;
SqlDataAdapter da1 = new SqlDataAdapter(cmd1);
DataSet ds1 = new DataSet();
da.Fill(ds1, "aa");
dataGridView2.DataSource = ds1.Tables["aa"];
con1.Close();
}
}
but the above code is showing data from query 1 in both the datagridviews. plz help me out how can I solve this problem? If there in another way let me know it also. I have also tried to merge both the queries using "+" sign but it also didn't proved helpful.
Use da1.Fill instead of da.fill. You're using the da DataAdapter for filling both Datasets
da.Fill(ds1, "aa");
da1.Fill(ds1, "aa");
I can't understand what I am doing wrong, I can't seem to SELECT with a prepared statement. However I can INSERT with a prepared statement.
MySqlCommand cmd = new MySqlCommand("SELECT * FROM code_post WHERE name = ?postRequired LIMIT 1", dbcon);
cmd.Parameters.Add(new MySqlParameter("?postRequired", requestString));
cmd.ExecuteNonQuery();
DataSet ds = new DataSet();
cmd.fill(ds, "result");
try {
thisBlog = ds.Tables["result"].Rows[0];
} catch {
invalid();
return;
}
Any advice on this would be greatly appreciated!
To fill a DataSet you will need a DataAdapter.
Try this:
MySqlCommand cmd = new MySqlCommand("SELECT * FROM code_post WHERE name = ?postRequired LIMIT 1", dbcon);
cmd.Parameters.Add(new MySqlParameter("?postRequired", requestString));
cmd.ExecuteNonQuery();
DataSet ds = new DataSet();
MySqlDataAdapter dAdap = new MySqlDataAdapter();
dAdap.SelectCommand = cmd;
dAdap.Fill(ds, "result");
try {
thisBlog = ds.Tables["result"].Rows[0];
} catch {
invalid();
return;
}
You need to use SqlDataAdapter
DataAdapter represents a set of data commands and a database connection that are used to fill the DataSet and update a SQL Server database.
The SqlDataAdapter provides this bridge by mapping Fill, which changes the data in the DataSet to match the data in the data source
Check the following syntax:
private static DataSet SelectRows(DataSet dataset,
string connectionString,string queryString)
{
using (SqlConnection connection =
new SqlConnection(connectionString))
{
SqlDataAdapter adapter = new SqlDataAdapter();
adapter.SelectCommand = new SqlCommand(
queryString, connection);
adapter.Fill(dataset);
return dataset;
}
}