• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 541
  • Last Modified:

Sql Queries

Hi Experts
I am using the following code and it works ok .
 ccodex = codeBox.Text
   
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where customer.ccode = '" & Ccodex & "' ", conexp)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

But when I ran Code Anylysis on solution it gives the following warning

CA2100      Review SQL queries for security vulnerabilities      The query string passed to 'SqlDataAdapter.New(String, SqlConnection)' in 'InvoiceCustomerEdit.NewCar_Load(Object, EventArgs)' could contain the following variables 'Module1.Ccodex'. If any of these variables could come from user input, consider using a stored procedure or a parameterized SQL query instead of building the query with string concatenations.      Garage      InvoiceCustomerEdit.vb      59


Please help me to change it to  parameterized SQL query

Thanks
0
b001
Asked:
b001
  • 3
  • 2
1 Solution
 
Robert SchuttSoftware EngineerCommented:
One way to do it:
        ccodex = codeBox.Text
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where customer.ccode = @ccode ", conexp)
        dacustT.SelectCommand.Parameters.AddWithValue("@ccode", ccodex)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

Open in new window

0
 
b001Author Commented:
Thanks Robert
How would you do if you have the following

   Dim dacustT As New SqlDataAdapter(" select * FROM customer where prefix = 'op' and ccode = '" & Ccodex & "' ", conexp)
 dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")
0
 
b001Author Commented:
and when
Dim command As New SqlCommand("update JobLog set hours ='" & HoursBox.Text & "',lab_charge ='" & LabChargeBox.Text & "'  where reg = '" & Regx & "'", conexp)
       
Thanks
0
 
Robert SchuttSoftware EngineerCommented:
Well adding a literal shouldn't hurt. Have you tried making the change and run Code Analysis again?

If the prefix needs to be a variable as well, just add another parameter, something like:
        Dim dacustT As New SqlDataAdapter(" select * FROM customer where prefix = @prefix and ccode = @ccode ", conexp)
        dacustT.SelectCommand.Parameters.AddWithValue("@prefix", "op") ' put your variable instead of "op"
        dacustT.SelectCommand.Parameters.AddWithValue("@ccode", ccodex)
        dacustT.Fill(dsCustT, "customer")
        dtCustT = dsCustT.Tables("customer")

Open in new window

0
 
Robert SchuttSoftware EngineerCommented:
for the update command it's basically the same, just try something like command.Parameters.AddWithValue(...)
0

Featured Post

Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now