Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

c# using a TableAdaptor in a WebService

Posted on 2009-05-04
7
Medium Priority
?
266 Views
Last Modified: 2013-11-26
I'm trying to switch over to using a TableAdaptor instead of having the SQL directly in my cs page as I read somewhere this is bad practice due to SQL injection.

So i've added a Dataset to my project and added a TableAdaptor to it, but now in my code i'm trying to access this with no joy.
I've looked here
http://msdn.microsoft.com/en-us/library/ms233822(VS.80).aspx 

and tryed using the Intellisense to bring up my TableAdaptor but it's nowhere to be seen.

Could you give me some examples on what I should be doing here?
Many Thanks.
0
Comment
Question by:andrewmilner
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 4

Assisted Solution

by:cauos
cauos earned 400 total points
ID: 24298393
at the end of the page in the link you posted there is a title "How to: Create TableAdapters" check that link to know how to create TableAdapters
this is the link
http://msdn.microsoft.com/en-us/library/6sb6kb28(VS.80).aspx
0
 
LVL 12

Expert Comment

by:wht1986
ID: 24298474
you can still use 'inline' sql, just make sure you use parameters, and not appending to the command string

Bad inline:
SqlCommand cmd = new SqlCommand("Select * from TesTable where TestId = " + this.TextBox1.Text, conn);

Good:

SqlCommand cmd = new SqlCommand("Select * from TesTable where TestId = @TestID", conn);
cmd.Parameters.AddWithValue("@TestID", int.Parse(this.TextBox1.Text));

the use of parameters will prevent sql injection.
0
 
LVL 1

Expert Comment

by:chuckdsc
ID: 24298776
andrewmilner,

There is a known bug in sending data from a web service,
check the MSDN blog where information is posted related to passing data from a web/wcf service

http://blogs.msdn.com/lifenglu/archive/2007/08/01/passing-datatable-across-web-wcf-services.aspx
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:andrewmilner
ID: 24299265
How does the Parameters prevent SQL injection?

If I have
string StringFromAtextBox = TextBox1.Value

And I pass this as a parameter into an sql query then surely you can still enter sql in there?
0
 

Author Comment

by:andrewmilner
ID: 24299272
Whats the int.Parse doing in the example above?
0
 
LVL 12

Accepted Solution

by:
wht1986 earned 1600 total points
ID: 24299464
converts the string to an integer, in my example i was just showing how my select statement was expecting an integer as a parameter. so i used the int.Parse method to do the conversion and assign it with the AddWithValue method. I did it this way to avoid specifying explicitly the parameter was an integer.

you can also specify the type explicitly by
            cmd.Parameters.Add("@TestID", SqlDbType.Int);
            cmd.Parameters["@TestID"].Value = int.Parse(this.textBox1.Text);
0
 

Author Comment

by:andrewmilner
ID: 24299651
Okay well using the parameters has gotton around the issue I had.
Many thanks for your help.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn’t it be nice if you could test whether an element is contained in an array by using a Contains method just like the one available on List objects? Wouldn’t it be good if you could write code like this? (CODE) In .NET 3.5, this is possible…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question