Solved

C#: SQL string with textBox user input?

Posted on 2004-09-17
5
219 Views
Last Modified: 2010-04-15
I'm attempting to substitute a testBox variable in place of the usual tableName in an SQL string.

Q. Is the following code correct?


string SQL1 = " INSERT INTO  ' " + txtSqlTable.Text.ToString() + " ' (col_Port, col_Desc)  VALUES" +
           " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";
SqlConnection cn1 = new SqlConnection("integrated security=SSPI;data source=office; persist security info=False;initial catalog=master");
SqlDataAdapter da1 = new SqlDataAdapter(SQL1,cn1);
cn1.Open();
da1.SelectCommand.ExecuteNonQuery();            
cn1.Close();
0
Comment
Question by:kvnsdr
5 Comments
 
LVL 20

Expert Comment

by:ihenry
ID: 12087653
are you inserting record to a table in master database?
0
 
LVL 1

Author Comment

by:kvnsdr
ID: 12088520
yes
0
 
LVL 5

Accepted Solution

by:
tomasX2 earned 125 total points
ID: 12088966
REMOVE THE '

string SQL1 = " INSERT INTO  ' " + txtSqlTable.Text.ToString() + " ' (col_Port, col_Desc)  VALUES" +
          " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";

becomes

string SQL1 = " INSERT INTO  " + txtSqlTable.Text.ToString() + " (col_Port, col_Desc)  VALUES" +
          " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";

sounds dangerous though... hope it´s not a action an anonymous user could do.
0
 
LVL 5

Expert Comment

by:tomasX2
ID: 12088971
I mean because you use string parsing and not parameters.
0
 
LVL 10

Expert Comment

by:ptmcomp
ID: 12091163
If it's a tool for yourself it's ok. If you roll this out to a wider usergroup then people could do almost everything with your database by entering malicious  code in the textboxes. Google for "SQL injection" to get more information about it.
0

Featured Post

Active Directory Webinar

We all know we need to protect and secure our privileges, but where to start? Join Experts Exchange and ManageEngine on Tuesday, April 11, 2017 10:00 AM PDT to learn how to track and secure privileged users in Active Directory.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Summary: Persistence is the capability of an application to store the state of objects and recover it when necessary. This article compares the two common types of serialization in aspects of data access, readability, and runtime cost. A ready-to…
Entity Framework is a powerful tool to help you interact with the DataBase but still doesn't help much when we have a Stored Procedure that returns more than one resultset. The solution takes some of out-of-the-box thinking; read on!
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question