[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Update record using parameterized query in Asp.net VB

Posted on 2012-09-21
6
Medium Priority
?
779 Views
Last Modified: 2012-09-21
I have a record that I want to update in a SQL Server database.  I want to use a parameterized query to reduce the chances of SQL Injection attack, but I just can't get the syntax correct.

I want to update the fields "Address" and "Phone" who's values come from txtAddress.text and txtPhone.text

Please supply code in VB.
0
Comment
Question by:rrhandle8
  • 3
  • 3
6 Comments
 
LVL 5

Expert Comment

by:sameer_goyal
ID: 38424008
Considering you have the DB connection/etc code in place, here's what you can do

Dim updateSql As String

updateSql = "Update dbo.<replace you table name here> set Address = '" & txtAddress.Text.Trim().Replace("'", "''") & "', Phone = '" & txtPhone.Text.Trim().Replace("'", "") & "' WHERE <use condition clause if any>"

hope it helps

Note:
txtAddress.Text.Trim().Replace("'", "''") : the first parameter in Replace is a single quote mark and the second one is 2 single quotes within the quotations. This is to prevent exception due to an appostrophe which can be part of the text. This will also prevent Sql Injection

In the replace for phone, I am just removing ' because it is not required in a phone number
0
 

Author Comment

by:rrhandle8
ID: 38424045
sameer_goyal

That is just a standard SQL update command.  I am trying to do it with a parameterized query like:

cmd.Parameters.AddWithValue("@Phone", txtPhone.text)
0
 
LVL 5

Expert Comment

by:sameer_goyal
ID: 38424092
Here you go

Dim updateSql As String
Dim cmd As SqlCommand
strQuery = "update <tableName> set Address=@Address, phone = @Phone where <you condition>"
cmd = New SqlCommand(updateSql)
cmd.Parameters.AddWithValue("@Address", txtAddress.Text.Trim())
cmd.Parameters.AddWithValue("@Phone", txtPhone.Text.Trim())

Dim strConnString As String = System.Configuration.ConfigurationManager.ConnectionStrings("conString").ConnectionString;
        Dim con As New SqlConnection(strConnString)
        cmd.CommandType = CommandType.Text
        cmd.Connection = con
        Try
            con.Open()
            cmd.ExecuteNonQuery()
            Return True
        Catch ex As Exception
            Response.Write(ex.Message)
            Return False
        Finally
            con.Close()
            con.Dispose()
        End Try

This is it.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:rrhandle8
ID: 38424154
That works with 1 correction: strQuery should be UpdateQuery
 
strQuery = "update <tableName> set Address=@Address, phone = @Phone where <you condition>"


One question: Shouldn't the datatype be stated some place like SqlDbType.NVarChar?  The whole reason I am trying to do this with parameterized queries is to avoid SQL injection attacks.  Does doing it the way you have it written help prevent attacks?
0
 
LVL 5

Accepted Solution

by:
sameer_goyal earned 2000 total points
ID: 38424164
No, the datatype is not required for parameterized queries. However, when working with Stored procs, you will need to define the datatype.

Using parameterized queries help prevent sql injection to a large extent but i suggest you use stored procs instead of queries. That way, you can handle illegitimate characters, if any, in the params more gracefully and handle it within the database,

For instance, you can examine the value in the parameter in more detail inside a stored procedure but that possibility is rather rare when working with queries.

let me know if that helps.
0
 

Author Comment

by:rrhandle8
ID: 38424169
Good answer, and thank you for the code!
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Recursive SQL is one of the most fascinating and powerful and yet dangerous feature offered in many modern databases today using a Common Table Expression (CTE) first introduced in the ANSI SQL 99 standard. The first implementations of CTE began ap…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question