Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 223
  • Last Modified:

C#: SQL string with textBox user input?

I'm attempting to substitute a testBox variable in place of the usual tableName in an SQL string.

Q. Is the following code correct?


string SQL1 = " INSERT INTO  ' " + txtSqlTable.Text.ToString() + " ' (col_Port, col_Desc)  VALUES" +
           " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";
SqlConnection cn1 = new SqlConnection("integrated security=SSPI;data source=office; persist security info=False;initial catalog=master");
SqlDataAdapter da1 = new SqlDataAdapter(SQL1,cn1);
cn1.Open();
da1.SelectCommand.ExecuteNonQuery();            
cn1.Close();
0
kvnsdr
Asked:
kvnsdr
1 Solution
 
ihenryCommented:
are you inserting record to a table in master database?
0
 
kvnsdrAuthor Commented:
yes
0
 
tomasX2Commented:
REMOVE THE '

string SQL1 = " INSERT INTO  ' " + txtSqlTable.Text.ToString() + " ' (col_Port, col_Desc)  VALUES" +
          " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";

becomes

string SQL1 = " INSERT INTO  " + txtSqlTable.Text.ToString() + " (col_Port, col_Desc)  VALUES" +
          " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";

sounds dangerous though... hope it´s not a action an anonymous user could do.
0
 
tomasX2Commented:
I mean because you use string parsing and not parameters.
0
 
ptmcompCommented:
If it's a tool for yourself it's ok. If you roll this out to a wider usergroup then people could do almost everything with your database by entering malicious  code in the textboxes. Google for "SQL injection" to get more information about it.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now