Avatar of b001
b001
Flag for Afghanistan asked on

Sql Queries

Hi Experts
I am using the following code and it works ok .
 ccodex = codeBox.Text
   
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where customer.ccode = '" & Ccodex & "' ", conexp)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

But when I ran Code Anylysis on solution it gives the following warning

CA2100      Review SQL queries for security vulnerabilities      The query string passed to 'SqlDataAdapter.New(String, SqlConnection)' in 'InvoiceCustomerEdit.NewCar_Load(Object, EventArgs)' could contain the following variables 'Module1.Ccodex'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations.      Garage      InvoiceCustomerEdit.vb      59


Please help me to change it to  parameterized SQL query

Thanks
Visual Basic.NET

Avatar of undefined
Last Comment
Robert Schutt

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Robert Schutt

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
b001

ASKER
Thanks Robert
How would you do if you have the following

   Dim dacustT As New SqlDataAdapter(" select * FROM customer where prefix = 'op' and ccode = '" & Ccodex & "' ", conexp)
 dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")
b001

ASKER
and when
Dim command As New SqlCommand("update JobLog set hours ='" & HoursBox.Text & "',lab_charge ='" & LabChargeBox.Text & "'  where reg = '" & Regx & "'", conexp)
       
Thanks
Robert Schutt

Well adding a literal shouldn't hurt. Have you tried making the change and run Code Analysis again?

If the prefix needs to be a variable as well, just add another parameter, something like:
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where prefix = @prefix and ccode = @ccode ", conexp)
        dacustT.SelectCommand.Parameters.AddWithValue("@prefix", "op") ' put your variable instead of "op"
        dacustT.SelectCommand.Parameters.AddWithValue("@ccode", ccodex)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

Open in new window

I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Robert Schutt

for the update command it's basically the same, just try something like command.Parameters.AddWithValue(...)