Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

C#: SQL string with textBox user input?

Posted on 2004-09-17
5
Medium Priority
?
222 Views
Last Modified: 2010-04-15
I'm attempting to substitute a testBox variable in place of the usual tableName in an SQL string.

Q. Is the following code correct?


string SQL1 = " INSERT INTO  ' " + txtSqlTable.Text.ToString() + " ' (col_Port, col_Desc)  VALUES" +
           " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";
SqlConnection cn1 = new SqlConnection("integrated security=SSPI;data source=office; persist security info=False;initial catalog=master");
SqlDataAdapter da1 = new SqlDataAdapter(SQL1,cn1);
cn1.Open();
da1.SelectCommand.ExecuteNonQuery();            
cn1.Close();
0
Comment
Question by:kvnsdr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 20

Expert Comment

by:ihenry
ID: 12087653
are you inserting record to a table in master database?
0
 
LVL 1

Author Comment

by:kvnsdr
ID: 12088520
yes
0
 
LVL 5

Accepted Solution

by:
tomasX2 earned 500 total points
ID: 12088966
REMOVE THE '

string SQL1 = " INSERT INTO  ' " + txtSqlTable.Text.ToString() + " ' (col_Port, col_Desc)  VALUES" +
          " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";

becomes

string SQL1 = " INSERT INTO  " + txtSqlTable.Text.ToString() + " (col_Port, col_Desc)  VALUES" +
          " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";

sounds dangerous though... hope it´s not a action an anonymous user could do.
0
 
LVL 5

Expert Comment

by:tomasX2
ID: 12088971
I mean because you use string parsing and not parameters.
0
 
LVL 10

Expert Comment

by:ptmcomp
ID: 12091163
If it's a tool for yourself it's ok. If you roll this out to a wider usergroup then people could do almost everything with your database by entering malicious  code in the textboxes. Google for "SQL injection" to get more information about it.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exception Handling is in the core of any application that is able to dignify its name. In this article, I'll guide you through the process of writing a DRY (Don't Repeat Yourself) Exception Handling mechanism, using Aspect Oriented Programming.
Calculating holidays and working days is a function that is often needed yet it is not one found within the Framework. This article presents one approach to building a working-day calculator for use in .NET.
Video by: ITPro.TV
In this episode Don builds upon the troubleshooting techniques by demonstrating how to properly monitor a vSphere deployment to detect problems before they occur. He begins the show using tools found within the vSphere suite as ends the show demonst…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question