Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
hello guys I have got this code
cmd = new SqlCommand();
cmd.Connection = baglanti;
cmd.CommandText = "(musteriadi,musterisoyadi,gsm,email,sirketadi,Adres,Notlar) VALUES('" + txtMusteriAdi.Text.Trim() + "','" + txtMusteriSoyadi.Text.Trim() + "','" + txtGsm.Text.Trim() + "','" +txtEmail.Text.Trim() + "','" +txtSirketAdi.Text.Trim() + "','" +txtAdres.Text.Trim() + "','" +txtNotlar.Text.Trim() +"');";
baglanti.Open();
cmd.ExecuteNonQuery();
baglanti.Close();
I defined the cmd as a public SqlCommmand and in every time when the code come to the cmd.ExecuteNonQuery() it falls to catch what can I do .
Because you forget INSERT INTO part for your statement. Like;
INSERT INTO tableName(musteriadi,musterisoyadi,gsm,email,sirketadi,Adres,Notlar)
But much more important, you should always use parameterized queries. This kind of string concatenations are open for SQL Injection attacks.
Also use using statement to dispose your connection and command automatically instead of calling Close method manually.
using(var baglanti = new SqlConnnection(yourConnectionString))
using(var cmd = baglanti.CreateCommand())
{
cmd.CommandText = #"INSERT INTO tableName(musteriadi,musterisoyadi,gsm,email,sirketadi,Adres,Notlar)
VALUES(#ad, #soyad, #gsm, #email, #sirket, #adres, #notlar)";
// Add your parameters values with Add method considering their types and size.
baglanti.Open();
cmd.ExecuteNonQuery();
}
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
As I am developing an application. How I can find the vulnerabilities which give hackers a chance to attack? And what are the security mechanisms possible here?
For example this code:
foreach (GridViewRow row in USER_GROUP_FROMS.Rows)
{
var chkboxuser = (CheckBox)row.FindControl("mainsupp");
abc = "";
if (chkboxuser.Checked == true)
{
string xe = "DATA SOURCE=technovalms;USER ID=AMC; password=amc;";
OracleConnection conn = new OracleConnection();
conn.ConnectionString = xe;
OracleCommand cmd = new OracleCommand();
cmd.Connection = conn;
conn.Open();
cmd.CommandText = "insert into TECHNOVA_SMS_USER_PRIVILEAGE(ID,SMS_USER_ID,SMS_PAGE_ID) values(SEQUENCEMODEL.nextval,'" + user_type.SelectedValue.ToString() + "','" + chkboxuser + "') ";
cmd.ExecuteNonQuery();
}
}
OWASP is your friend:
https://www.owasp.org/index.php/Main_Page
There is a lot of information in the site, you can start with the Web Application Security Testing Cheat Sheet for a good introduction to the subject and a checklist of tasks to be performed during security testing of a Web application.
EDIT
By the way, the code you have provided is vulnerable to SQL Injection Attacks.
You are appending the contents of your controls directly to your query so a user could input something like the following:
1';DELETE FROM TECHNOVA_SMS_USER_PRIVILEAGE'
Voila! They have access to all your database information.
To avoid this you should always filter user input using parameters:
cmd.CommandText = "insert into TECHNOVA_SMS_USER_PRIVILEAGE(ID,SMS_USER_ID,SMS_PAGE_ID) values(SEQUENCEMODEL.nextval,':selectedValue',':chkboxuser') ";
cmd.Parameters.Add(new OracleParameter("selectedValue", user_type.SelectedValue.ToString()));
cmd.Parameters.Add(new OracleParameter("chkboxuser", chkboxuser));
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
I have this block of code that executes within my function but it keeps saying there is a syntax error. Am I missing something? Because it seems fine to me
string query3 = "INSERT INTO dbo.Liguanea_Progress VALUES('" + comboBox2.Text + "' '" + textBox5.Text + "' '" + textBox2.Text + "' '" + comboBox3.Text + "''" + textBox3.Text + "''" + comboBox1.Text + "');";
When using insert, always include the column names. So, your query should be INSERT INTO dbo.Liguanea_Progress(col1, col2, . . .).
Never just stuff user input into a query string. Although one reason is that doing so makes the code susceptible to SQL injection, another important reason is that you might introduce syntax errors. Use parameterized queries.
The values in VALUES() should be separated by commas, not spaces.
Your query syntax is invalid. You need to have commas after every paramter.
string query3 = "INSERT INTO dbo.Liguanea_Progress VALUES(#Param1, #Param2,#Param3, #Param4, #Param5, #Param6);
Also start using sql command parameters to protect you from sql injection. Also this gives you clear view on your query.
SqlCommand cmd = new SqlCommand();
cmd.CommandText = query3;
cmd.Parameters.AddWithValue("#Param1", comboBox2.Text);
cmd.Parameters.AddWithValue("#Param2", textBox5.Text);
cmd.Parameters.AddWithValue("#Param3", textBox2.Text);
cmd.Parameters.AddWithValue("#Param4", comboBox3.Text);
cmd.Parameters.AddWithValue("#Param5", textBox3.Text);
cmd.Parameters.AddWithValue("#Param6", comboBox1.Text);
string query3 = "INSERT INTO dbo.Liguanea_Progress(col1) VALUES('" + textBox.Text + "')";
Use this pattern for consequent columns involved and respective values. It is important to declare the columns involved when doing an insert query as well to avoid confusion.
Furthermore, I assume you're using ADO.net judging from this code snippet. You may want to parametize the query to prevent SQL injection like so:
command.Parameters.Add(new SqlParameter("Col1", textBox.Text));
Which now makes your query like this:
string query3 = "INSERT INTO dbo.Liguanea_Progress(col1) VALUES(#Col1)";
This makes the sql code easier to edit.
Missing commas and brackets between your values, try something like this
string query3 = "INSERT INTO dbo.Liguanea_Progress VALUES('" + comboBox2.Text + "'),('" + textBox5.Text + "'),('" + textBox2.Text + "'),('" + comboBox3.Text + "'),('" + textBox3.Text + "'),('" + comboBox1.Text + "');";
You'll need brackets around each value if you're inserting multiple values into the same column. If you're inserting this into one row then you're just missing the commas;
string query3 = "INSERT INTO dbo.Liguanea_Progress VALUES('" + comboBox2.Text + "','" + textBox5.Text + "','" + textBox2.Text + "','" + comboBox3.Text + "','" + textBox3.Text + "','" + comboBox1.Text + "');";
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I am trying to add a string value to a SQL database in SQL Server Managemnet Studio but this does not work.
What is the correct way to do this?
SqlCommand addProduct = new SqlCommand("INSERT INTO dbo.Test VALUES(" + txtProductName.Text + ");", sqlConnect);
try
{
addProduct.ExecuteNonQuery();
MessageBox.Show("This product has been succesfully added to the database!!");
}
catch (Exception error2)
{
MessageBox.Show(error2.ToString());
}
It seems that you forgot to include a quote for the added string. Something like this
SqlCommand addProduct = new SqlCommand("INSERT INTO dbo.Test VALUES('" + txtProductName.Text + "');", sqlConnect);
Let's consider what is being generated here:
addProduct = new SqlCommand("INSERT INTO dbo.Test VALUES(" + txtProductName.Text + ");", sqlConnect);
If the value of txtProductName.Text is "monkey nuts", then your SqlCommand will have a CommandText of:
INSERT INTO dbo.Test VALUES(monkey nuts);
This isn't valid SQL, as the string has not been quoted. Now, if the value of txtProductName.Text is "'foo');DROP TABLE Test; --", then your SqlCommand will have a CommandText of:
INSERT INTO dbo.Test VALUES('foo');DROP TABLE Test; --);
Which, whilst valid SQL (as I'd put the apostrophes in the text box to quote the string), isn't what you'd want to do either.
The safest approach is to use parametrisation, so something more like:
using (SqlCommand addProduct = new SqlCommand("INSERT INTO dbo.Test VALUES(#ProductName);", sqlConnect);
{
addProduct.Parameters.Add("#ProductName", SqlDbType.NVarChar, 50).Value = txtProductName.Text;
addProduct.ExecuteNonQuery();
MessageBox.Show("This product has been succesfully added to the database!!");
}
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
SqlConnection connection1 = new SqlConnection(Properties.Settings.Default.KalenderDBconnect);
SqlCommand insertCommand = new SqlCommand(
"INSERT into KalenderDB values ('" + tb_name + "','" + tb_Ort + "','" + tb_Event + "','" + tb_Notiz + "','" + teilgenommen + "','" + date + "')");
connection1.Open();
insertCommand.ExecuteNonQuery();
connection1.Close();
Can somebody say, why the insertCommand.ExecuteNonQuery() doesn't work? I can't find the problem .
Your connection and command aren't linked together.
Try something like the following:
connection1.Open();
insertCommand.Connection = connection1;
insertCommand.ExecuteNonQuery();
connection1.Close();
Also, as someone commented on your question, this is prone to SQL injection. You should be using parameters.
Here's some MSDN documentation on parameters.
SqlCommand take 2 arguments
Query
Connection Name
SqlCommand objSql = new SqlCommand("Your Query",ObjectSqlConnection);
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I'm getting a run time error in my program when connecting to a SQL Server CE database.
Can anyone help me, and please don't write the whole code just a line of what needs to be changed to.
Here is my code:
string conString = Properties.Settings.Default.POSdatabaseConnectionString;
using (SqlCeConnection con = new SqlCeConnection(conString))
{
con.Open();
using (SqlCeCommand com = new SqlCeCommand("SELECT * FROM Customer where Customer ID ='" + this.useridtexbox.Text + "' and Name='" + this.nametexbox.Text + "'", con))
{
SqlCeDataReader reader = com.ExecuteReader();
int count = 0;
while (reader.Read())
{
count = count + 1;
}
if (count == 1)
{
MessageBox.Show("You have logged in succesfully");
Homepage homepage = new Homepage();
homepage.Show();
homepage.LabelText = ("Welcome " + reader["name"].ToString());
}
else
{
MessageBox.Show("Username and password is Not correct ...Please try again");
con.Close();
}
Error:
There was an error parsing the query. [ Token line number = 1,Token line offset = 39,Token in error = ID ]
I think the problem with the space in Customer ID,Try this
SqlCeCommand com = new SqlCeCommand("SELECT * FROM Customer where CustomerID ='" + this.useridtexbox.Text + "' and Name='" + this.nametexbox.Text + "'", con))
In your command, do not use string concatenation. That will fail badly and leave you open to SQL injection attacks.
Image what happens if I enter the following text into this.nametexbox.Text:
Joe'; DROP DATABASE; --
You don't want have someone like little Bobby Tables as user.
Use sql parameters.
If you have tables or fields with spaces, you to have a word with your DBA. If you cannot change it, make sure you use the correct syntax:
WHERE [Customer ID] = '12345'
Make sure you CustomerID column have space
Always use parameterized query to avoid SQL Injection
How does SQLParameter prevent SQL Injection
SqlCeCommand com = new SqlCeCommand = "SELECT * FROM Customer where CustomerID=#CustomerID and
name=#name";
con.Parameters.AddWithValue("#CustomerID", valuesTextBox.Text);
con.Parameters.AddWithValue("#name", namwTextBox.Text);