Link to home
Start Free TrialLog in
Avatar of b001
b001Flag for Afghanistan

asked on

Sql Queries

Hi Experts
I am using the following code and it works ok .
 ccodex = codeBox.Text
   
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where customer.ccode = '" & Ccodex & "' ", conexp)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

But when I ran Code Anylysis on solution it gives the following warning

CA2100      Review SQL queries for security vulnerabilities      The query string passed to 'SqlDataAdapter.New(String, SqlConnection)' in 'InvoiceCustomerEdit.NewCar_Load(Object, EventArgs)' could contain the following variables 'Module1.Ccodex'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations.      Garage      InvoiceCustomerEdit.vb      59


Please help me to change it to  parameterized SQL query

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Robert Schutt
Robert Schutt
Flag of Netherlands image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of b001

ASKER

Thanks Robert
How would you do if you have the following

   Dim dacustT As New SqlDataAdapter(" select * FROM customer where prefix = 'op' and ccode = '" & Ccodex & "' ", conexp)
 dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")
Avatar of b001

ASKER

and when
Dim command As New SqlCommand("update JobLog set hours ='" & HoursBox.Text & "',lab_charge ='" & LabChargeBox.Text & "'  where reg = '" & Regx & "'", conexp)
       
Thanks
Well adding a literal shouldn't hurt. Have you tried making the change and run Code Analysis again?

If the prefix needs to be a variable as well, just add another parameter, something like:
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where prefix = @prefix and ccode = @ccode ", conexp)
        dacustT.SelectCommand.Parameters.AddWithValue("@prefix", "op") ' put your variable instead of "op"
        dacustT.SelectCommand.Parameters.AddWithValue("@ccode", ccodex)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

Open in new window

for the update command it's basically the same, just try something like command.Parameters.AddWithValue(...)