Solved

Sql Queries

Posted on 2014-11-23
5
376 Views
Last Modified: 2014-11-23
Hi Experts
I am using the following code and it works ok .
 ccodex = codeBox.Text
   
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where customer.ccode = '" & Ccodex & "' ", conexp)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

But when I ran Code Anylysis on solution it gives the following warning

CA2100      Review SQL queries for security vulnerabilities      The query string passed to 'SqlDataAdapter.New(String, SqlConnection)' in 'InvoiceCustomerEdit.NewCar_Load(Object, EventArgs)' could contain the following variables 'Module1.Ccodex'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations.      Garage      InvoiceCustomerEdit.vb      59


Please help me to change it to  parameterized SQL query

Thanks
0
Comment
Question by:b001
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 35

Accepted Solution

by:
Robert Schutt earned 500 total points
ID: 40460706
One way to do it:
        ccodex = codeBox.Text
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where customer.ccode = @ccode ", conexp)
        dacustT.SelectCommand.Parameters.AddWithValue("@ccode", ccodex)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

Open in new window

0
 

Author Comment

by:b001
ID: 40460741
Thanks Robert
How would you do if you have the following

   Dim dacustT As New SqlDataAdapter(" select * FROM customer where prefix = 'op' and ccode = '" & Ccodex & "' ", conexp)
 dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")
0
 

Author Comment

by:b001
ID: 40460759
and when
Dim command As New SqlCommand("update JobLog set hours ='" & HoursBox.Text & "',lab_charge ='" & LabChargeBox.Text & "'  where reg = '" & Regx & "'", conexp)
       
Thanks
0
 
LVL 35

Expert Comment

by:Robert Schutt
ID: 40460761
Well adding a literal shouldn't hurt. Have you tried making the change and run Code Analysis again?

If the prefix needs to be a variable as well, just add another parameter, something like:
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where prefix = @prefix and ccode = @ccode ", conexp)
        dacustT.SelectCommand.Parameters.AddWithValue("@prefix", "op") ' put your variable instead of "op"
        dacustT.SelectCommand.Parameters.AddWithValue("@ccode", ccodex)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

Open in new window

0
 
LVL 35

Expert Comment

by:Robert Schutt
ID: 40460764
for the update command it's basically the same, just try something like command.Parameters.AddWithValue(...)
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Reports are based on a report definition, which is an XML file that describes data and layout for the report, with a different extension. You can create a client-side report definition language (*.rdlc) file with Visual Studio, and build g…
Parsing a CSV file is a task that we are confronted with regularly, and although there are a vast number of means to do this, as a newbie, the field can be confusing and the tools can seem complex. A simple solution to parsing a customized CSV fi…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question