Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
SqlConnection connection1 = new SqlConnection(Properties.Settings.Default.KalenderDBconnect);
SqlCommand insertCommand = new SqlCommand(
"INSERT into KalenderDB values ('" + tb_name + "','" + tb_Ort + "','" + tb_Event + "','" + tb_Notiz + "','" + teilgenommen + "','" + date + "')");
connection1.Open();
insertCommand.ExecuteNonQuery();
connection1.Close();
Can somebody say, why the insertCommand.ExecuteNonQuery() doesn't work? I can't find the problem .
Your connection and command aren't linked together.
Try something like the following:
connection1.Open();
insertCommand.Connection = connection1;
insertCommand.ExecuteNonQuery();
connection1.Close();
Also, as someone commented on your question, this is prone to SQL injection. You should be using parameters.
Here's some MSDN documentation on parameters.
SqlCommand take 2 arguments
Query
Connection Name
SqlCommand objSql = new SqlCommand("Your Query",ObjectSqlConnection);
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
As I am developing an application. How I can find the vulnerabilities which give hackers a chance to attack? And what are the security mechanisms possible here?
For example this code:
foreach (GridViewRow row in USER_GROUP_FROMS.Rows)
{
var chkboxuser = (CheckBox)row.FindControl("mainsupp");
abc = "";
if (chkboxuser.Checked == true)
{
string xe = "DATA SOURCE=technovalms;USER ID=AMC; password=amc;";
OracleConnection conn = new OracleConnection();
conn.ConnectionString = xe;
OracleCommand cmd = new OracleCommand();
cmd.Connection = conn;
conn.Open();
cmd.CommandText = "insert into TECHNOVA_SMS_USER_PRIVILEAGE(ID,SMS_USER_ID,SMS_PAGE_ID) values(SEQUENCEMODEL.nextval,'" + user_type.SelectedValue.ToString() + "','" + chkboxuser + "') ";
cmd.ExecuteNonQuery();
}
}
OWASP is your friend:
https://www.owasp.org/index.php/Main_Page
There is a lot of information in the site, you can start with the Web Application Security Testing Cheat Sheet for a good introduction to the subject and a checklist of tasks to be performed during security testing of a Web application.
EDIT
By the way, the code you have provided is vulnerable to SQL Injection Attacks.
You are appending the contents of your controls directly to your query so a user could input something like the following:
1';DELETE FROM TECHNOVA_SMS_USER_PRIVILEAGE'
Voila! They have access to all your database information.
To avoid this you should always filter user input using parameters:
cmd.CommandText = "insert into TECHNOVA_SMS_USER_PRIVILEAGE(ID,SMS_USER_ID,SMS_PAGE_ID) values(SEQUENCEMODEL.nextval,':selectedValue',':chkboxuser') ";
cmd.Parameters.Add(new OracleParameter("selectedValue", user_type.SelectedValue.ToString()));
cmd.Parameters.Add(new OracleParameter("chkboxuser", chkboxuser));
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I want to insert record to student table and I used a SqlCommand but when executing command as shown here, a datatype mismatch error occurs.
System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("insert into Student(studentID,studentName,birthDate) values(" + studentID.Text + ",'" + studentName.Text +"','" + birthDate.Text + "')", con);
You can use parameters to solve this problem like this:
SqlCommand cmd = new SqlCommand("insert into Student(studentID, studentName, birthDate) values(#studentID, #studentName, #birthDate)" , con);
cmd.Parameters.AddWithValue("#studentID", studentID.Text);
cmd.Parameters.AddWithValue("#studentName", studentName.Text);
cmd.Parameters.AddWithValue("#birthDate", birthDate.Text);
cmd.ExecuteNonQuery();
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
I have this block of code that executes within my function but it keeps saying there is a syntax error. Am I missing something? Because it seems fine to me
string query3 = "INSERT INTO dbo.Liguanea_Progress VALUES('" + comboBox2.Text + "' '" + textBox5.Text + "' '" + textBox2.Text + "' '" + comboBox3.Text + "''" + textBox3.Text + "''" + comboBox1.Text + "');";
When using insert, always include the column names. So, your query should be INSERT INTO dbo.Liguanea_Progress(col1, col2, . . .).
Never just stuff user input into a query string. Although one reason is that doing so makes the code susceptible to SQL injection, another important reason is that you might introduce syntax errors. Use parameterized queries.
The values in VALUES() should be separated by commas, not spaces.
Your query syntax is invalid. You need to have commas after every paramter.
string query3 = "INSERT INTO dbo.Liguanea_Progress VALUES(#Param1, #Param2,#Param3, #Param4, #Param5, #Param6);
Also start using sql command parameters to protect you from sql injection. Also this gives you clear view on your query.
SqlCommand cmd = new SqlCommand();
cmd.CommandText = query3;
cmd.Parameters.AddWithValue("#Param1", comboBox2.Text);
cmd.Parameters.AddWithValue("#Param2", textBox5.Text);
cmd.Parameters.AddWithValue("#Param3", textBox2.Text);
cmd.Parameters.AddWithValue("#Param4", comboBox3.Text);
cmd.Parameters.AddWithValue("#Param5", textBox3.Text);
cmd.Parameters.AddWithValue("#Param6", comboBox1.Text);
string query3 = "INSERT INTO dbo.Liguanea_Progress(col1) VALUES('" + textBox.Text + "')";
Use this pattern for consequent columns involved and respective values. It is important to declare the columns involved when doing an insert query as well to avoid confusion.
Furthermore, I assume you're using ADO.net judging from this code snippet. You may want to parametize the query to prevent SQL injection like so:
command.Parameters.Add(new SqlParameter("Col1", textBox.Text));
Which now makes your query like this:
string query3 = "INSERT INTO dbo.Liguanea_Progress(col1) VALUES(#Col1)";
This makes the sql code easier to edit.
Missing commas and brackets between your values, try something like this
string query3 = "INSERT INTO dbo.Liguanea_Progress VALUES('" + comboBox2.Text + "'),('" + textBox5.Text + "'),('" + textBox2.Text + "'),('" + comboBox3.Text + "'),('" + textBox3.Text + "'),('" + comboBox1.Text + "');";
You'll need brackets around each value if you're inserting multiple values into the same column. If you're inserting this into one row then you're just missing the commas;
string query3 = "INSERT INTO dbo.Liguanea_Progress VALUES('" + comboBox2.Text + "','" + textBox5.Text + "','" + textBox2.Text + "','" + comboBox3.Text + "','" + textBox3.Text + "','" + comboBox1.Text + "');";
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
hello guys I have got this code
cmd = new SqlCommand();
cmd.Connection = baglanti;
cmd.CommandText = "(musteriadi,musterisoyadi,gsm,email,sirketadi,Adres,Notlar) VALUES('" + txtMusteriAdi.Text.Trim() + "','" + txtMusteriSoyadi.Text.Trim() + "','" + txtGsm.Text.Trim() + "','" +txtEmail.Text.Trim() + "','" +txtSirketAdi.Text.Trim() + "','" +txtAdres.Text.Trim() + "','" +txtNotlar.Text.Trim() +"');";
baglanti.Open();
cmd.ExecuteNonQuery();
baglanti.Close();
I defined the cmd as a public SqlCommmand and in every time when the code come to the cmd.ExecuteNonQuery() it falls to catch what can I do .
Because you forget INSERT INTO part for your statement. Like;
INSERT INTO tableName(musteriadi,musterisoyadi,gsm,email,sirketadi,Adres,Notlar)
But much more important, you should always use parameterized queries. This kind of string concatenations are open for SQL Injection attacks.
Also use using statement to dispose your connection and command automatically instead of calling Close method manually.
using(var baglanti = new SqlConnnection(yourConnectionString))
using(var cmd = baglanti.CreateCommand())
{
cmd.CommandText = #"INSERT INTO tableName(musteriadi,musterisoyadi,gsm,email,sirketadi,Adres,Notlar)
VALUES(#ad, #soyad, #gsm, #email, #sirket, #adres, #notlar)";
// Add your parameters values with Add method considering their types and size.
baglanti.Open();
cmd.ExecuteNonQuery();
}
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
In this query statement i want sum of the number of days in the 'datetime' column where emp_ID equals to selected emp_ID in the textBox2 'and' leavetype = Fullday 'and' status = approved. this is my code
string selectSql =
"Select sum(datetime)
From Lea_information
Where emp_ID= ('" + textBox2.Text + "')
and (leave_type,status) = values (Fullday,Approved)";
Try like this
string selectSql =
"Select sum(datetime)
From Lea_information
Where emp_ID= '" + textBox2.Text + "'
AND leave_type ='Fullday'
AND status = 'Approved'";
Use
ing selectSql = "Select sum(datetime) from Lea_information where emp_ID= ('" + textBox2.Text + "') and leave_type = FullDay and status = Approved)";
Not sure which database you are using, but I've never seen statements like you have written there before.