Solved

Sql Queries

Posted on 2014-11-23
5
335 Views
Last Modified: 2014-11-23
Hi Experts
I am using the following code and it works ok .
 ccodex = codeBox.Text
   
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where customer.ccode = '" & Ccodex & "' ", conexp)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

But when I ran Code Anylysis on solution it gives the following warning

CA2100      Review SQL queries for security vulnerabilities      The query string passed to 'SqlDataAdapter.New(String, SqlConnection)' in 'InvoiceCustomerEdit.NewCar_Load(Object, EventArgs)' could contain the following variables 'Module1.Ccodex'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations.      Garage      InvoiceCustomerEdit.vb      59


Please help me to change it to  parameterized SQL query

Thanks
0
Comment
Question by:b001
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Robert Schutt earned 500 total points
ID: 40460706
One way to do it:
        ccodex = codeBox.Text
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where customer.ccode = @ccode ", conexp)
        dacustT.SelectCommand.Parameters.AddWithValue("@ccode", ccodex)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

Open in new window

0
 

Author Comment

by:b001
ID: 40460741
Thanks Robert
How would you do if you have the following

   Dim dacustT As New SqlDataAdapter(" select * FROM customer where prefix = 'op' and ccode = '" & Ccodex & "' ", conexp)
 dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")
0
 

Author Comment

by:b001
ID: 40460759
and when
Dim command As New SqlCommand("update JobLog set hours ='" & HoursBox.Text & "',lab_charge ='" & LabChargeBox.Text & "'  where reg = '" & Regx & "'", conexp)
       
Thanks
0
 
LVL 35

Expert Comment

by:Robert Schutt
ID: 40460761
Well adding a literal shouldn't hurt. Have you tried making the change and run Code Analysis again?

If the prefix needs to be a variable as well, just add another parameter, something like:
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where prefix = @prefix and ccode = @ccode ", conexp)
        dacustT.SelectCommand.Parameters.AddWithValue("@prefix", "op") ' put your variable instead of "op"
        dacustT.SelectCommand.Parameters.AddWithValue("@ccode", ccodex)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

Open in new window

0
 
LVL 35

Expert Comment

by:Robert Schutt
ID: 40460764
for the update command it's basically the same, just try something like command.Parameters.AddWithValue(...)
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Kraeven
Introduction Remote Share is a simple remote sharing tool, enabling you to see, add and remove remote or local shares. The application is written in VB.NET targeting the .NET framework 2.0. The source code and the compiled programs have been in…
If you need to start windows update installation remotely or as a scheduled task you will find this very helpful.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question