 |  |  |  |  |  |  |  |
Simply Search Engine
Please support our C# advertiser: Intel Parallel Studio Home
 |
•
•
Join Date: Jun 2009
Posts: 88
Reputation: 
Solved Threads: 12
Junior Poster in Training
serkan sendur offcourse it vulnerable to sql injection,
but i dont know if you noticed above is a beginner to c#,
and as it seems he is a beginner in programing as well, so we are not dealing with vulnerabilty here, he simply wants to start to learn.
but i dont know if you noticed above is a beginner to c#,
and as it seems he is a beginner in programing as well, so we are not dealing with vulnerabilty here, he simply wants to start to learn.
i want show my result of search in a datagridview. i just want selected title o date i key in show there.
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Data.SqlClient;
using System.Configuration;
namespace WindowsFormsApplication7
{
public partial class Form7 : Form
{
public Form7()
{
InitializeComponent();
}
private void BindDataGrid()
{
SqlConnection myConn = new SqlConnection();
myConn.ConnectionString = ConfigurationManager.ConnectionStrings["myConn"].ToString();
myConn.Open();
string strSQL = "select * from book where user_id = " + StaticData.ActiveUserId + "";
SqlDataAdapter dataAdapter = new SqlDataAdapter(strSQL, myConn);
SqlCommandBuilder commandBuilder = new SqlCommandBuilder(dataAdapter);
SqlCommand cmd = new SqlCommand("select user_id from book where user_id = " + StaticData.ActiveUserId + "", myConn);
DataTable table = new DataTable();
dataAdapter.Fill(table);
bindingSource1.DataSource = table;
dataGridView1.DataSource = bindingSource1;
myConn.Close();
}
private void button1_Click(object sender, EventArgs e)
{
SqlConnection myConn = new SqlConnection();
myConn.ConnectionString = ConfigurationManager.ConnectionStrings["myConn"].ToString();
myConn.Open();
if (txtTitle.Text != "")
{
SqlCommand cmd = new SqlCommand("SELECT * from book WHERE title = " + txtTitle.Text.ToString());
SqlDataReader dr;
dr = cmd.ExecuteReader();
BindDataGrid();
dr.Close();
}
else if (txtDate.Text != "")
{
SqlCommand cmd = new SqlCommand("SELECT * from book WHERE dateofpurchase = " + txtDate.Text.ToString());
SqlDataReader dr;
dr = cmd.ExecuteReader();
dr.Close();
}
myConn.Close();
}
}
}
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Data.SqlClient;
using System.Configuration;
namespace WindowsFormsApplication7
{
public partial class Form7 : Form
{
public Form7()
{
InitializeComponent();
}
private void BindDataGrid()
{
SqlConnection myConn = new SqlConnection();
myConn.ConnectionString = ConfigurationManager.ConnectionStrings["myConn"].ToString();
myConn.Open();
string strSQL = "select * from book where user_id = " + StaticData.ActiveUserId + "";
SqlDataAdapter dataAdapter = new SqlDataAdapter(strSQL, myConn);
SqlCommandBuilder commandBuilder = new SqlCommandBuilder(dataAdapter);
SqlCommand cmd = new SqlCommand("select user_id from book where user_id = " + StaticData.ActiveUserId + "", myConn);
DataTable table = new DataTable();
dataAdapter.Fill(table);
bindingSource1.DataSource = table;
dataGridView1.DataSource = bindingSource1;
myConn.Close();
}
private void button1_Click(object sender, EventArgs e)
{
SqlConnection myConn = new SqlConnection();
myConn.ConnectionString = ConfigurationManager.ConnectionStrings["myConn"].ToString();
myConn.Open();
if (txtTitle.Text != "")
{
SqlCommand cmd = new SqlCommand("SELECT * from book WHERE title = " + txtTitle.Text.ToString());
SqlDataReader dr;
dr = cmd.ExecuteReader();
BindDataGrid();
dr.Close();
}
else if (txtDate.Text != "")
{
SqlCommand cmd = new SqlCommand("SELECT * from book WHERE dateofpurchase = " + txtDate.Text.ToString());
SqlDataReader dr;
dr = cmd.ExecuteReader();
dr.Close();
}
myConn.Close();
}
}
}
•
•
Join Date: Jan 2008
Posts: 2,052
Reputation: 
Solved Threads: 122
you should add the parameters like below :
"Tang" will be your textbox.text.
C# Syntax (Toggle Plain Text)
"Tang" will be your textbox.text.
Due to lack of freedom of speech, i no longer post on this website.
•
•
Join Date: Jan 2008
Posts: 2,052
Reputation:
Solved Threads: 122
•
•
•
•
Originally Posted by IdanS 
serkan sendur offcourse it vulnerable to sql injection,
but i dont know if you noticed above is a beginner to c#,
and as it seems he is a beginner in programing as well, so we are not dealing with vulnerabilty here, he simply wants to start to learn.
Due to lack of freedom of speech, i no longer post on this website.
•
•
Join Date: Jun 2009
Posts: 88
Reputation:
Solved Threads: 12
Junior Poster in Training
dummy c# you are now using two different methods of polling the data from the DB, either you want to use DataBind or you want to use SqlDataReader, choose one and we will continue from there.
and you have not still added the:
Method
and you have not still added the:
C# Syntax (Toggle Plain Text)
•
•
Join Date: Jun 2009
Posts: 88
Reputation:
Solved Threads: 12
Junior Poster in Training
•
•
•
•
Originally Posted by serkan sendur
i posted an example as how to create parameters in secure way. this way it will be protected against injection.
•
•
Join Date: Jan 2008
Posts: 2,052
Reputation:
Solved Threads: 122
what were you expecting ? am i going to be "you" centered, of course i am self-centered.
if you teach someone something, why not teach it correct from the beginning?
if you teach someone something, why not teach it correct from the beginning?
Due to lack of freedom of speech, i no longer post on this website.
•
•
Join Date: Jun 2009
Posts: 88
Reputation:
Solved Threads: 12
Junior Poster in Training
Becuase when you teach a baby to talk you are not teaching him how to say "encyclopedia" from the begining you teaching him how to say "dad", "mom" and so on, when he learned that so you going and teach him how to say "cow", "cat" and after you teach him to say "encyclopedia".
I'm sure when you started to learn programing you didnt learn how to id in a secure way from the begining you learned the basicics and then you developed to what you know today, so take it easy with the fellow
I'm sure when you started to learn programing you didnt learn how to id in a secure way from the begining you learned the basicics and then you developed to what you know today, so take it easy with the fellow
•
•
Join Date: Jan 2008
Posts: 2,052
Reputation:
Solved Threads: 122
I dont think so, even in the microsoft websites beginning tutorials for novices, it teaches how to do it proper way from the beginning. Using one more object is better than making quotation mistakes in a select statement as well as security issue.
Due to lack of freedom of speech, i no longer post on this website.
•
•
Join Date: Jun 2009
Posts: 88
Reputation:
Solved Threads: 12
Junior Poster in Training
Well obviously you are not a perent and not a teacher either.
If you still think that you are right so stay in your mind, I cant force you to change the way you think, but I'm sure that people here will agree with me.
If you still think that you are right so stay in your mind, I cant force you to change the way you think, but I'm sure that people here will agree with me.
|
Similar Threads
- Search Engine Optimization Manager for SalesOnlineWorld (Internet Marketing Job Offers)
- Search Engine Optimization Manager (Internet Marketing Job Offers)
- experienced Search Engine Optimizer's and Soft works (Post your Resume)
- UK Search Engine Marketing Services (Post your Resume)
- Search Engine Manager needed (Internet Marketing Job Offers)
- Search Engine Optimization (SEO) / Link Building / PPC Management / SEM Services (Post your Resume)
- Make google your default search engine (Windows tips 'n' tweaks)
- Increase Search Engine Position (Ad Space for Sale)
- a few search engine optimization questions (Search Engine Optimization)
Other Threads in the C# Forum
- Previous Thread: Need some beginnerhelp
- Next Thread: nifty little counter problem (timer involved)
| Thread Tools | Search this Thread |
Latest C# Posts
- Today's Posts
- Unanswered Threads
Related Forum Features
Tag cloud for C#
.net access ado.net algorithm array bitmap box broadcast buttons c# chat check checkbox class client color combobox control conversion csharp custom database datagrid datagridview dataset datetime degrees development draganddrop drawing encryption enum event excel file files form format forms function gdi+ httpwebrequest image index input install java label list listbox listener login mandelbrot math mouseclick mysql networking object operator oracle path photoshop picturebox pixelinversion post prime programming radians regex remote remoting resource richtextbox save saving serialization server sleep socket sql statistics stream string table tcp text textbox thread time timer treeview update usercontrol validation visualstudio webbrowser windows winforms wpf xml
