bergertime
asked on
Update table on AS400 from vb.net app
I am using the iDB2Connection. Here is my code:
Private Sub btnUpdate1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnUpdate1.Click
Dim cn As iDB2Connection = New iDB2Connection("User ID=me;Password=me;Data Source=10.1.1.999;Connecti on Timeout = 0")
Dim cmd As iDB2Command
Dim sqlstring As String
sqlstring = "insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (" & txtName.Text & ", " & txtAddress.Text & ", " & txtCity.Text & ", " & txtState.Text & ", " & txtZip.Text & ")"
Dim da As New iDB2DataAdapter(sqlstring, cn)
'Dim ds As New DataSet("Airbill")
'Open connection
cn.Open()
cmd = New iDB2Command(sqlstring, cn)
cmd.ExecuteNonQuery()
cn.Close()
End Sub
Now when I run this and put in numeric data, it works fine, when I put in alphanumeric I get this error:
SQL0206 Column (whatever letter I put in the txtaddress.text) not in specified tables, but like I said numbers work fine. Why would it see the text in my textbox as the column name? The type in the fields of the table on the AS400 are set to Alpha except for the first textbox. Thanks
Private Sub btnUpdate1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnUpdate1.Click
Dim cn As iDB2Connection = New iDB2Connection("User ID=me;Password=me;Data Source=10.1.1.999;Connecti
Dim cmd As iDB2Command
Dim sqlstring As String
sqlstring = "insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (" & txtName.Text & ", " & txtAddress.Text & ", " & txtCity.Text & ", " & txtState.Text & ", " & txtZip.Text & ")"
Dim da As New iDB2DataAdapter(sqlstring,
'Dim ds As New DataSet("Airbill")
'Open connection
cn.Open()
cmd = New iDB2Command(sqlstring, cn)
cmd.ExecuteNonQuery()
cn.Close()
End Sub
Now when I run this and put in numeric data, it works fine, when I put in alphanumeric I get this error:
SQL0206 Column (whatever letter I put in the txtaddress.text) not in specified tables, but like I said numbers work fine. Why would it see the text in my textbox as the column name? The type in the fields of the table on the AS400 are set to Alpha except for the first textbox. Thanks
>Why would it see the text in my textbox as the column name?
Because you aren't quoting the data. Play it out as if you were the program, given your sql string, you'd end up with:
insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (122, Main st, Anytown, NY, 11111)
When what you want is:
insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (122, 'Main st', 'Anytown', 'NY', '11111')
HOWEVER, be very careful. In the example you've provided you're wide open to a SQL injection attack. Ask yourself this question, what happens if I, the user, put this into the txtAddress box:
';delete * from table;'
You'll string that right into the test and end up with a sql statement that drops a table. You should be using parameters for this operation.
Because you aren't quoting the data. Play it out as if you were the program, given your sql string, you'd end up with:
insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (122, Main st, Anytown, NY, 11111)
When what you want is:
insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (122, 'Main st', 'Anytown', 'NY', '11111')
HOWEVER, be very careful. In the example you've provided you're wide open to a SQL injection attack. Ask yourself this question, what happens if I, the user, put this into the txtAddress box:
';delete * from table;'
You'll string that right into the test and end up with a sql statement that drops a table. You should be using parameters for this operation.
ASKER
'You should be using parameters for this operation.'
How would I do that in the above example?
How would I do that in the above example?
Something to the effect of:
Private Sub btnUpdate1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnUpdate1.Click
Dim cn As iDB2Connection = New iDB2Connection("User ID=me;Password=me;Data Source=10.1.1.999;Connecti on Timeout = 0")
Dim cmd As iDB2Command
Dim sqlstring As String
sqlstring = "insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (@Acct, @Nam1, @Nam2, @Add1, @City)"
'Open connection
cn.Open()
cmd = cn.CreateCommand()
cmd.CommandText = sql
cmd.Prepare()
cmd.Parameters("@Acct").Va lue = txtName.Text
cmd.Parameters("@Nam1").Va lue = txtAddress.Text
cmd.Parameters("@Nam2").Va lue = txtCity.Text
'... set rest of parms
cmd.ExecuteNonQuery()
cn.Close()
End Sub
No probmises on the VB syntax, but it's close enough.
And before someone points out that the prepare() is a waste of a trip to the DB, IBM will do the prepare if you haven't, so you might as well take advantage of it.
Private Sub btnUpdate1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles btnUpdate1.Click
Dim cn As iDB2Connection = New iDB2Connection("User ID=me;Password=me;Data Source=10.1.1.999;Connecti
Dim cmd As iDB2Command
Dim sqlstring As String
sqlstring = "insert into libery.table (saacct, sanam1, sanam2, saadd1, sacity) values (@Acct, @Nam1, @Nam2, @Add1, @City)"
'Open connection
cn.Open()
cmd = cn.CreateCommand()
cmd.CommandText = sql
cmd.Prepare()
cmd.Parameters("@Acct").Va
cmd.Parameters("@Nam1").Va
cmd.Parameters("@Nam2").Va
'... set rest of parms
cmd.ExecuteNonQuery()
cn.Close()
End Sub
No probmises on the VB syntax, but it's close enough.
And before someone points out that the prepare() is a waste of a trip to the DB, IBM will do the prepare if you haven't, so you might as well take advantage of it.
ASKER
Thanks so much, you have answered my question, but if I might get two points a little more clear, how does the parameters prevent the SQL injection attack? And I'm not sure what you meant by 'the prepare() is a waste of a trip to the DB'....I didn't have it in my code, should I have it?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you so much, I'm not sure if I've ever had an answer that was this clear.
You probably need to enclose your text in single quotes.
At the point of exceuting the query, what (exactly) is the value of sqlstring? (the working one AND the non-working one)
- DaveSlash