What are the disadvantages of this code :
SqlConnection con = new SqlConnection();
con.ConnectionString = #"Data Source=.\sqlExpress;Initial Catalog=Learn;Integrated Security=True";
SqlCommand cmd = new SqlCommand();
cmd.CommandText = "Insert Into tblUser(name,family,tel)Values('" + txtName.Text + "','" + txtFamily.Text + "','" + txtTel.Text + "')";
cmd.Connection = con;
cmd.CommandType = CommandType.Text;
con.Open();
cmd.ExecuteNonQuery();
con.Close();
You mean besides the fact that the SqlConnection won't be disposed, and that the SqlCommand is written in such a way as to invite a SQL Injection attack?
Relevant XKCD comic:
http://xkcd.com/327/
One major disadvantage is that you don't quote your strings or use parameterized queries, so somebody who inputs O'Brien for their last name will get an exception.
Of course, that also means that somebody can enter arbitrary SQL into a text box and have you execute it for them. That's bad.
Related to secure coding....
Your code is vulnerable to SQL Injection attacks since you are directly using txtName.text in the code to form a query. Parameterized queries should be used. Additionally, you should validate the txtName.txt before using it. That is it.
Related
This had to be a simple, ordinary SQL insert method but when I run it and I click "button1" I get the error
An unhandled exception of type 'system.data.sqlclient.sqlexception' occurred in system.data.dll
Does anyone know what the problem is?
namespace InsertDeleteUpdate_Login
{
public partial class Form1 : Form
{
SqlConnection cn = new SqlConnection(#"Data Source=(LocalDB)\v11.0;AttachDbFilename=E:\C #\InsertDeleteUpdate-Login\InsertDeleteUpdate-Login\Database1.mdf;Integrated Security=True");
SqlCommand cmd = new SqlCommand();
SqlDataReader dr;
public Form1()
{
InitializeComponent();
cmd.Connection = cn;
}
private void button1_Click(object sender, EventArgs e)
{
if (textBox1.Text != "" && textBox2.Text != "")
{
cn.Open();
cmd.CommandText = "INSERT INTO info (ID,Name,Password)" + " VALUES ('" + textBox1.Text + "','" + textBox2.Text + "','" + textBox3.Text + "')'";
cmd.ExecuteNonQuery();
cmd.Clone();
MessageBox.Show("Inserare reusita");
cn.Close();
}
}
}
}
The root cause of your problem is that you are not using parameterized queries and are trying to create an sql string on the fly. As a result you make an error in the assembling code of that string. But if you use a parameterized query the chance of running into an issue like that is a lot lower because you don't have to mess about with quotes and the like. On top of this, you cannot have a sql injection attack if you use parameters and it makes the code more readable too.
Read http://www.dotnetperls.com/sqlparameter on how to use a parameterized query the way it should be done and don't just fix the textual error in the querystring. It is not the way it is supposed to be done.
This is a good explanation too : http://www.dreamincode.net/forums/topic/268104-parameterizing-your-sql-queries-the-right-way-to-query-a-database/
I can't add comments yet, but it looks like you might have an extra single quote after the last close bracket that shouldn't be there.
As mentioned by several people above, you should ALWAYS parameterise your queries, and you also have a trailing single quote, which is most likely what SQL Server is choking on.
Try something like this:
cmd.CommandText = "INSERT INTO info (ID, Name, Password) VALUES (#ID, #Name, #Password)";
cmd.Parameters.AddWithValue("#ID", textBox1.Text);
cmd.Parameters.AddWithValue("#Name", textBox2.Text);
cmd.Parameters.AddWithValue("#Password", textBox3.Text);
cmd.ExecuteNonQuery();
I was wondering if it is possible for the update button to save the changes made in the table. I wrote this code but I have no idea how it could possibly work
This is the code i wrote for the update button:
string conString = "Data Source=MIRANDA-PC;Initial Catalog=Futebol do Rosa;Integrated Security=True";
SqlConnection con = new SqlConnection(conString);
string selectSql = "Update Players$ set Player Name='" + dataGridView2.Text + "";
SqlCommand cmd = new SqlCommand(selectSql, con);
con.Open();
This is the table I want to update the values in:
Well, you just need to execute your query with ExecuteNonQuery.
But more important, you should always use parameterized queries. This kind of string concatenations are open for SQL Injection attacks.
Also use using statement to dispose your SqlConnection and SqlCommand.
And if your table or column names more than one word, you need to use them with [] as [Player Name]. And honestly, it is a little bit weird to use $ sign in a table name.
using(SqlConnection con = new SqlConnection(conString))
using(SqlCommand cmd = con.CreateCommand())
{
cmd.CommandText = "Update Players$ set [Player Name] = #name";
cmd.Parameters.Add("#name", SqlDbType.NVarChar, 16).Value = dataGridView2.Text;
con.Open();
cmd.ExecuteNonQuery();
}
You have to execute your SQL query with your db object.
dbinstance.ExecuteSqlCommand(string sqlcommand, object[] params);
This method is both for DDL and DML.
you can also use ExecuteNonQuery method.
cmd.CommandText = "Update Players$ set [Player Name] = #Playername";
cmd.Parameters.Add("#Playername", SqlDbType.NVarChar, 16).Value = dataGridView2.Text;
con.Open();
cmd.ExecuteNonQuery();
The best solution (if possible) to to convert your DAL (Data Access Layer) to Entity-framework based, instead of writing your own SQL queries. This is safe-by-design and never is vulnerable to SQL Injection of any kind.
Here is some mockup code:
using (AppEntities currDb = new AppEntities)
{
Players PlayerToEdit =
from player in currDb.Players
where player.PlayerID == lngPlayerID
select player.First();
PlayerToEdit.PlayerName = dataGridView2.Text;
currDb.SaveChanges();
}
You can read about it some more here:
https://msdn.microsoft.com/en-us/data/ef.aspx
I'm running a database in SQL2012 and using Visual Studio2012 C# to build a software that interacts with the database, and I've been trying to add a button that interacts with a textbox or something similar that lets the user add/edit rows in the database.
Code:
try
{
string conString = "Data Source=MIRANDA-PC;Initial Catalog=Futebol do Rosa;Integrated Security=True";
SqlConnection con = new SqlConnection(conString);
string selectSql = "Update Players$ SET Player Name='" + textBox3.Text + "' WHERE Player ID= 1";
SqlCommand cmd = new SqlCommand(selectSql, con);
con.Open();
cmd.ExecuteNonQuery();
MessageBox.Show("The values have been UPDATED");
}
catch{
MessageBox.Show("not so fast ***, error found in your ******** code");
}
Ignoring the safety issues (inline SQL is bad. Very bad.) Your update has some fundamental errors. Try:
string selectSql = "Update Players SET Players.Name='" + textBox3.Text +
"' WHERE Players.ID= 1";
Your table columns need to be associated to the table with a . and the table name has to be the same as the one you are updating. I am going on the assumption here that your table name is Players
The code in your link isn't even safe.
Your SqlConnction and SqlCommand will not dispose
The end user can use SQL Injection
Throw your SqlConnection and SqlCommand in an using statement.
using (SqlConnection con = new SqlConnection(constring))
{
using (SqlCommand cmd = new SqlCommand("your query here", con))
{
con.Open();
cmd.ExecuteNonQuery();
}
}
Add parameters to your SqlCommand to avoid SqlInjection
cmd.Parameters.AddWithValue("#param", value);
Create your own class for database interaction and don't put everything in one class or form.
If you let us know what the error is, we can help you more.
Also a good thing is to google your error first.
I'm trying to make an ATM Simulator. When I want to add some money in my account which is registered in SQL Server, I don't know how to add a value over the old value.
My SQL Table is like this:
Name | Surname | Pin | Money
When i want to add Money from textBox in the Money column I don't know how.
Code:
con.Open();
string connString = "";
SqlConnection conn = new SqlConnection(connString);
SqlCommand cmd = conn.CreateCommand();
cmd.CommandType = CommandType.Text;
cmd.CommandText = "select * from Useri where Pin='" + textBox1_Pin.Text + "' ";
var reader = cmd.ExecuteReader();
double balanciFillestar = Convert.ToDouble(reader[3]);
double balanciRi = balanciFillestar + double.Parse(textBox_shuma.Text);
cmd.CommandText = "update Useri set Shuma =" + balanciRi + "";
cmd.ExecuteNonQuery();
con.Close();
The most immediate need would be to filter the update statement, so instead of this:
cmd.CommandText = "update Useri set Shuma =" + balanciRi + "";
you really need this:
cmd.CommandText = "UPDATE Useri SET Shuma = #Shuma WHERE Pin = #Pin";
But, before you can do that we really need to refactor it all.
var selectSql = "SELECT Shuma FROM Useri WHERE Pin = #Pin";
var updateSql = "UPDATE Useri SET Shuma = #Shuma WHERE Pin = #Pin";
using (SqlConnection c = new SqlConnection(cString))
{
c.Open();
double balanciFillestar;
using (SqlCommand cmd = new SqlCommand(selectSql, c))
{
cmd.Parameters.AddWithValue("#Pin", textBox1_Pin.Text);
balanciFillestar = Convert.ToDouble(cmd.ExecuteScalar());
}
double balanciRi = balanciFillestar + double.Parse(textBox_shuma.Text);
using (SqlCommand cmd = new SqlCommand(updateSql, c))
{
cmd.Parameters.AddWithValue("#Shuma", balanciRi);
cmd.Parameters.AddWithValue("#Pin", textBox1_Pin.Text);
cmd.ExecuteNonQuery();
}
}
There are a number of things I'm doing here that you'll want to learn from:
The SQL statements are parameterized.
The SqlConnection is not shared.
The ADO.NET objects are wrapped in a using statement.
A SqlDataReader isn't used to get a single value from a single row.
All of these things, with the exception of #4, are equally important.
Point #1 ensures that you're protecting yourself from SQL Injection attacks.
Point #2 is quite simply the only viable way to use the class. It's meant to be constructed, opened, used, and disposed.
Point #3 ensures that the Dispose method is called on all of the objects. This is extremely important with these classes because they implement IDisposable. They do because they handle unmanaged resources (i.e. a connection to a SQL server).
Point #4 is really just an optimization. Data readers are meant for reading very large data sets, one row at a time, to gain performance and resource management. Likewise the data reader is actually left open until it is closed or disposed. Generally speaking there are almost always better API's to use than a data reader unless using it for their express purpose.
Your code is vulnerable against SQL injection. Please consider this and use parameterized query.
string ps= "update Useri set Shuma = Shuma + #shuma WHERE Pin= #pin";
SqlCommand cmd = new SqlCommand(ps, c);
cmd.Parameters.AddWithValue("#shuma", textBox_shuma.Text);
cmd.Parameters.AddWithValue("#pin", textBox1_Pin.Text);
This question already has answers here:
The multi-part identifier "TextBox1.Text" could not be bound in C# ASP.NET?
(3 answers)
Closed 9 years ago.
if (validateEmailId(email))
{
pictureBox5.Visible = true;
SqlConnection con = new SqlConnection("conection string");
SqlCommand cmd2 = new SqlCommand("UPDATE sumant SET email=" + email + " WHERE code ='" + textBox2.Text + "' ", con);
cmd2.Connection = con;
cmd2.Connection.Open();
cmd2.ExecuteNonQuery();//line 7
con.Close();
}
validateEmailId is a function which validates the email entered(using regular expression)..
The email entered in the 'email' textbox is validated and is returned to the above function..
When the control passes to line 7 following error is encountered:
The multi-part identifier "sxxx#yahoo.com" could not be bound.
It means sxxx#yahoo.com has passed the validation test, but a problem occurred in line 7.
On the SQL end, the column 'email' has varchar(50) as its data type...I don't think that's an issue....
You should at least put single quotes around the email adress:
SqlCommand cmd2 = new SqlCommand("UPDATE sumant SET email='" + email + "' WHERE code ='" + textBox2.Text + "' ", con);
However, this is not a good way of passing in params, as you are leaving this wide open for SQL injection attacks...
A better way would be to use a parameterized query, like this:
SqlCommand cmd2 = new SqlCommand("UPDATE sumant SET email=#email WHERE code=#code", con);
cmd2.Parameters.AddWithValue("#email", email);
cmd2.Parameters.AddWithValue("#code", textBox2.Text);
Then you don't need to supply the single quotes, and you're at the same time safeguarding against SQL injection attacks...
Ouch, I smell SQL injection and lack of disposal. Try this:
using (SqlConnection con = new SqlConnection("conection string")) {
using (SqlCommand cmd2 = new SqlCommand("UPDATE sumant SET email=#Email WHERE code = #Code", con)) {
cmd2.Parameters.AddWithValue("#Email", email);
cmd2.Parameters.AddWithValue("#Code", textBox2.Text);
con.Open();
cmd2.ExecuteNonQuery();
}
}
The using directives will close the SqlConnection and SqlCommand no matter if they fail or execute properly. The SqlParameters will prevent any form of SQL injection.
Another sidenote: your passing the conn argument to the SqlCommand constructor AND are setting the connection property of the SqlCommand after that, passing the SqlConnection to the SqlCommand already sets the connection property.