pointeman
asked on
C# Return Complete SQL Query and Values?
For the purpose of troubleshooting, I would like to return the complete SQL syntax and values to a label for either desktop or web page. I tried using sqldataadapter and commandbuilder and still only return the sql syntax and no values.
[Query]
private void InsertTable(string lastname, string midname, string firstname)
{
string sql = " Insert Into Table1 (col1, col2, col3) values ('" + lastname + "', '" + midname + "', '" + firstname + "')";
SqlConnection cn = new SqlConnection(cnPath);
SqlDataAdapter da = new SqlDataAdapter(sql, cn);
cn.Open();
da.SelectCommand.ExecuteNo nQuery();
label1.Text = da.InsertCommand.CommandTe xt;
cn.Close();
}
[Current Return]
Insert Into Table1 (col1, col2, col3) values ('lastname', 'midname', 'firstname')
[Desired Return]
Insert Into Table1 (col1, col2, col3) values (Doe, J, Jane)
Help!
[Query]
private void InsertTable(string lastname, string midname, string firstname)
{
string sql = " Insert Into Table1 (col1, col2, col3) values ('" + lastname + "', '" + midname + "', '" + firstname + "')";
SqlConnection cn = new SqlConnection(cnPath);
SqlDataAdapter da = new SqlDataAdapter(sql, cn);
cn.Open();
da.SelectCommand.ExecuteNo
label1.Text = da.InsertCommand.CommandTe
cn.Close();
}
[Current Return]
Insert Into Table1 (col1, col2, col3) values ('lastname', 'midname', 'firstname')
[Desired Return]
Insert Into Table1 (col1, col2, col3) values (Doe, J, Jane)
Help!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am using parameterized queries although I didn't mention it, oops. It's a new concept and not learning how secure they really are.
I split the points because you all have excellent info. thx
I split the points because you all have excellent info. thx
http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev
http://en.csharp-online.net/ASP.NET_Security_Hacks%E2%80%94Avoiding_SQL_Injection
It's better to use parameters. Example can be found here: http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqldataadapter.selectcommand.aspx