Solved

C#: SQL string with textBox user input?

Posted on 2004-09-17
5
218 Views
Last Modified: 2010-04-15
I'm attempting to substitute a testBox variable in place of the usual tableName in an SQL string.

Q. Is the following code correct?


string SQL1 = " INSERT INTO  ' " + txtSqlTable.Text.ToString() + " ' (col_Port, col_Desc)  VALUES" +
           " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";
SqlConnection cn1 = new SqlConnection("integrated security=SSPI;data source=office; persist security info=False;initial catalog=master");
SqlDataAdapter da1 = new SqlDataAdapter(SQL1,cn1);
cn1.Open();
da1.SelectCommand.ExecuteNonQuery();            
cn1.Close();
0
Comment
Question by:kvnsdr
5 Comments
 
LVL 20

Expert Comment

by:ihenry
ID: 12087653
are you inserting record to a table in master database?
0
 
LVL 1

Author Comment

by:kvnsdr
ID: 12088520
yes
0
 
LVL 5

Accepted Solution

by:
tomasX2 earned 125 total points
ID: 12088966
REMOVE THE '

string SQL1 = " INSERT INTO  ' " + txtSqlTable.Text.ToString() + " ' (col_Port, col_Desc)  VALUES" +
          " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";

becomes

string SQL1 = " INSERT INTO  " + txtSqlTable.Text.ToString() + " (col_Port, col_Desc)  VALUES" +
          " ( ' " + Port.ToString() + " ' , ' " + Desc.ToString() + " ' )";

sounds dangerous though... hope it´s not a action an anonymous user could do.
0
 
LVL 5

Expert Comment

by:tomasX2
ID: 12088971
I mean because you use string parsing and not parameters.
0
 
LVL 10

Expert Comment

by:ptmcomp
ID: 12091163
If it's a tool for yourself it's ok. If you roll this out to a wider usergroup then people could do almost everything with your database by entering malicious  code in the textboxes. Google for "SQL injection" to get more information about it.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Introduction                                                 Was the var keyword really only brought out to shorten your syntax? Or have the VB language guys got their way in C#? What type of variable is it? All will be revealed.   Also called…
Introduction This article series is supposed to shed some light on the use of IDisposable and objects that inherit from it. In essence, a more apt title for this article would be: using (IDisposable) {}. I’m just not sure how many people would ge…
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now