ASP.net SQL Injection Threat
Hi
I have an ASP.net web forms web app that uses a backend Azure SQL database. I have been warned that the database may be under threat of SQL Injection attacks
What steps can I take to tighten security. The type of C# code I use is as follows. Can I perhaps stop it running if there are words like Delete or Drop that have been added to the SQL Statement. How would I do this?
protected void oRun_SQL(string sSQL)
{
string cs = ConfigurationManager.ConnectionStrings["DefaultConnection"].ConnectionString;
SqlConnection cn = new SqlConnection(cs);
SqlCommand cmd = new SqlCommand(sSQL, cn);
try
{
cn.Open();
cmd.ExecuteNonQuery();
}
catch (Exception ex)
{
Response.Write("SQL ERROR" + ex.Message + " xk27");
}
finally
{
if (cn.State != ConnectionState.Closed)
cn.Close();
}
}
Molly Fagan
Based on the little bit you've shown, you're not parameterizing your SQL statement, which is what you must do in order to prevent SQL injection.
Hi Murray,
SQL injection is well understood and easily preventable. As Molly notes, the first thing to do is to not take data right from a web page's controls and put it directly into your SQL. Pass values as parameters to your SQL statement, or check the values yourself to make sure no injection is being attempted before building your query. More info below:
https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648339(v=pandp.10)?redirectedfrom=MSDN
https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-getting-started/deployment-to-a-hosting-provider/deployment-to-a-hosting-provider-deploying-to-iis-as-a-test-environment-5-of-12
https://docs.microsoft.com/en-us/aspnet/core/tutorials/first-mvc-app/working-with-sql?view=aspnetcore-6.0&tabs=visual-studio
SQL injection is well understood and easily preventable. As Molly notes, the first thing to do is to not take data right from a web page's controls and put it directly into your SQL. Pass values as parameters to your SQL statement, or check the values yourself to make sure no injection is being attempted before building your query. More info below:
https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff648339(v=pandp.10)?redirectedfrom=MSDN
https://docs.microsoft.com/en-us/aspnet/web-forms/overview/older-versions-getting-started/deployment-to-a-hosting-provider/deployment-to-a-hosting-provider-deploying-to-iis-as-a-test-environment-5-of-12
https://docs.microsoft.com/en-us/aspnet/core/tutorials/first-mvc-app/working-with-sql?view=aspnetcore-6.0&tabs=visual-studio
ASKER
Thanks for the info. I have over 60 columns in my main table. Could I perhaps Paramatarize say 5 columns instead of having to do all of them in my SQL statement
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Molly. I am using the following code to gather the values that I then pass into the method that O mentioned above. I am a little lost as to what to do
private bool oSavePolicy()
{
//System.Diagnostics.Debugger.Break();
this.Label_ValidationMessage.Text = "";
this.Label_Success.Text = "";
this.Label_ErrorMessage.Text = "";
string UserEmail = Session["UserEmail"] as string;
string UserPassword = Session["UserPassword"] as string;
bool oInvalid = false;
if (string.IsNullOrEmpty(this.Assured_Name.Text))
{
this.Assured_Name.BackColor = System.Drawing.Color.LightBlue;
oInvalid = true;
}
else
{
this.Assured_Name.BackColor = System.Drawing.Color.Transparent;
}
if (this.chkAddAsNewBroker.Checked == false)
{
if (string.IsNullOrEmpty(this.Broker.SelectedItem?.Text))
{
this.Broker.BackColor = System.Drawing.Color.LightBlue;
oInvalid = true;
}
else
{
this.Broker.BackColor = System.Drawing.Color.Transparent;
}
}
else
{
if (string.IsNullOrEmpty(this.Broker2.Text))
{
this.Broker2.BackColor = System.Drawing.Color.LightBlue;
oInvalid = true;
}
else
{
this.Broker2.BackColor = System.Drawing.Color.Transparent;
}
}
if (string.IsNullOrEmpty(this.Broker_Contact_Name.Text))
{
this.Broker_Contact_Name.BackColor = System.Drawing.Color.LightBlue;
oInvalid = true;
}
else
{
this.Broker_Contact_Name.BackColor = System.Drawing.Color.Transparent;
}
if (string.IsNullOrEmpty(this.Profession.Text))
{
this.Profession.BackColor = System.Drawing.Color.LightBlue;
oInvalid = true;
}
else
{
this.Profession.BackColor = System.Drawing.Color.Transparent;
}
if (string.IsNullOrEmpty(this.Country.Text))
{
this.Country.BackColor = System.Drawing.Color.LightBlue;
oInvalid = true;
}
else
{
this.Country.BackColor = System.Drawing.Color.Transparent;
}
if (this.Status.Text == "Declined")
{
if (string.IsNullOrEmpty(this.Reason_Declined.Text))
{
this.Reason_Declined.BackColor = System.Drawing.Color.LightBlue;
oInvalid = true;
}
else
{
this.Reason_Declined.BackColor = System.Drawing.Color.Transparent;
}
}
if (oInvalid == true)
{
string oMsg = "Please fill out mandatory fields highlighted in blue";
//ClientScript.RegisterClientScriptBlock(GetType(), "alert", "alert('" + oMsg + "');", true);
this.Label_ValidationMessage.Text = oMsg;
Label_Success.Text = "";
return false;
}
string oStatus = "Null";
if (!string.IsNullOrEmpty(Status.Text))
{
oStatus = "'" + SQLConvert(Status.Text) + "'";
}
string oBinder = "Null";
if (!string.IsNullOrEmpty(Binder.SelectedItem?.Text))
{
oBinder = "'" + SQLConvert(Binder.SelectedItem?.Text) + "'";
}
string oClass_of_Business = "Null";
if (!string.IsNullOrEmpty(Class_of_Business.Text))
{
oClass_of_Business = "'" + SQLConvert(Class_of_Business.Text) + "'";
}
string oType_of_Risk = "Null";
if (!string.IsNullOrEmpty(Type_of_Risk.Text))
{
oType_of_Risk = "'" + SQLConvert(Type_of_Risk.Text) + "'";
}
string oUnderwriter = "Null";
if (!string.IsNullOrEmpty(Underwriter.SelectedItem?.Text))
{
oUnderwriter = "'" + SQLConvert(Underwriter.SelectedItem?.Text) + "'";
}
string oPolicy_Number = "Null";
if (!string.IsNullOrEmpty(Policy_Number.Text))
{
oPolicy_Number = "'" + Policy_Number.Text + "'";
}
string oDate_Seen = "Null";
if (!string.IsNullOrEmpty(Date_Seen.Text))
{
//DateTime oDate = DateTime.ParseExact(Date_Seen.Text, "yyyy-MM-dd HH:mm:ss", null);
oDate_Seen = "'" + Date_Seen.Text + "'";
}
//if (!string.IsNullOrEmpty(Inception_Date.Text))
//string oInceptionDate = DateTime.Parse(Inception_Date.Text);
string oInception_Date = "Null";
if (!string.IsNullOrEmpty(Inception_Date.Text))
{
//DateTime oDate = DateTime.ParseExact(Inception_Date.Text, "yyyy-MM-dd", null);
oInception_Date = "'" + Inception_Date.Text + "'";
}
string oExpiry_Date = "Null";
if (!string.IsNullOrEmpty(Expiry_Date.Text))
{
// DateTime oDate = DateTime.ParseExact(Expiry_Date.Text, "yyyy-MM-dd", null);
oExpiry_Date = "'" + Expiry_Date.Text + "'";
}
string oAssured_Name = "Null";
if (!string.IsNullOrEmpty(Assured_Name.Text))
{
oAssured_Name = "'" + SQLConvert(Assured_Name.Text) + "'";
}
string oBroker = "Null";
if (this.chkAddAsNewBroker.Checked == false)
{
if (!string.IsNullOrEmpty(Broker.SelectedItem?.Text))
{
oBroker = "'" + SQLConvert(Broker.SelectedItem?.Text) + "'";
}
}
else
{
if (!string.IsNullOrEmpty(this.Broker2.Text))
{
oBroker = "'" + SQLConvert(Broker2.Text) + "'";
}
}
string oBroker_Contact_Name = "Null";
if (!string.IsNullOrEmpty(Broker_Contact_Name.Text))
{
oBroker_Contact_Name = "'" + SQLConvert(Broker_Contact_Name.Text) + "'";
}
string oBroker_Email = "Null";
if (!string.IsNullOrEmpty(Broker_Email.Text))
{
oBroker_Email = "'" + SQLConvert(Broker_Email.Text) + "'";
}
string oCountry = "Null";
if (!string.IsNullOrEmpty(Country.SelectedItem.Text))
{
oCountry = "'" + SQLConvert(Country.SelectedItem.Text) + "'";
}
string oStateOrProvince = "Null";
if (!string.IsNullOrEmpty(StateOrProvince.SelectedItem.Text))
{
oStateOrProvince = "'" + SQLConvert(StateOrProvince.SelectedItem.Text) + "'";
}
string oFees = "Null";
if (!string.IsNullOrEmpty(Fees.Text))
{
oFees = Fees.Text;
}
string oLimit_of_Indemnity = "Null";
if (!string.IsNullOrEmpty(Limit_of_Indemnity.Text))
{
oLimit_of_Indemnity = Limit_of_Indemnity.Text;
}
string oBasis_Of_Limit = "Null";
if (!string.IsNullOrEmpty(Basis_Of_Limit.SelectedItem.Text))
{
oBasis_Of_Limit = "'" + Basis_Of_Limit.SelectedItem.Text + "'";
}
string oTurnover = "Null";
if (!string.IsNullOrEmpty(Turnover.Text))
{
oTurnover = Turnover.Text;
}
string oProfession = "Null";
if (!string.IsNullOrEmpty(Profession.SelectedItem.Text))
{
oProfession = "'" + SQLConvert(Profession.SelectedItem.Text) + "'";
}
string oCurrency = "Null";
if (!string.IsNullOrEmpty(Currency.Text))
{
oCurrency = "'" + SQLConvert(Currency.Text) + "'";
}
string oLayer = "Null";
if (!string.IsNullOrEmpty(Layer.SelectedItem?.Text))
{
oLayer = "'" + SQLConvert(Layer.SelectedItem?.Text) + "'";
}
string oDeductible = "Null";
if (!string.IsNullOrEmpty(Deductible.Text))
{
oDeductible = Deductible.Text;
}
string oReinstatement = "Null";
if (!string.IsNullOrEmpty(Re_instatement.Text))
{
oReinstatement = "'" + Re_instatement.Text + "'";
}
string oRetroactive_Date = "Null";
if (!string.IsNullOrEmpty(Retroactive_Date.Text))
{
DateTime oDate = DateTime.ParseExact(Retroactive_Date.Text, "yyyy-MM-dd", null);
oRetroactive_Date = "'" + oDate + "'";
}
string oCosts_InclusiveOrExclusive = "Null";
if (!string.IsNullOrEmpty(Costs_InclusiveOrExclusive.SelectedItem.Text))
{
oCosts_InclusiveOrExclusive = "'" + Costs_InclusiveOrExclusive.SelectedItem.Text + "'";
}
string oGross_Premium = "Null";
if (!string.IsNullOrEmpty(Gross_Premium.Text))
{
oGross_Premium = Gross_Premium.Text;
}
string oPremium_of_Line = "Null";
if (!string.IsNullOrEmpty(Premium_of_Line.Text))
{
oPremium_of_Line = Premium_of_Line.Text;
}
string oNet_Premium_to_Binder = "Null";
if (!string.IsNullOrEmpty(Net_Premium_to_Binder.Text))
{
oNet_Premium_to_Binder = Net_Premium_to_Binder.Text;
}
string oLCU_Amount = "Null";
if (!string.IsNullOrEmpty(LCU_Amount.Text))
{
oLCU_Amount = LCU_Amount.Text;
}
string oLandmark_Commission_Amount = "Null";
if (!string.IsNullOrEmpty(Landmark_Commission_Amount.Text))
{
oLandmark_Commission_Amount = Landmark_Commission_Amount.Text;
}
string oLandmark_Commission_Percentage = "Null";
if (!string.IsNullOrEmpty(Landmark_Commission_Percentage.Text))
{
oLandmark_Commission_Percentage = Landmark_Commission_Percentage.Text;
}
string oBroker_Brokerage_Amount = "Null";
if (!string.IsNullOrEmpty(Broker_Brokerage_Amount.Text))
{
oBroker_Brokerage_Amount = Broker_Brokerage_Amount.Text;
}
string oLandmark_Policy_Fee = "Null";
if (!string.IsNullOrEmpty(Landmark_Policy_Fee.Text))
{
oLandmark_Policy_Fee = Landmark_Policy_Fee.Text;
}
string oChoice_of_Law = "Null";
if (!string.IsNullOrEmpty(Choice_of_Law.Text))
{
oChoice_of_Law = "'" + SQLConvert(Choice_of_Law.Text) + "'";
}
string oJurisdiction = "Null";
if (!string.IsNullOrEmpty(Jurisdiction.Text))
{
oJurisdiction = "'" + SQLConvert(Jurisdiction.Text) + "'";
}
string oTerritorial_Limits = "Null";
if (!string.IsNullOrEmpty(Territorial_Limits.Text))
{
oTerritorial_Limits = "'" + SQLConvert(Territorial_Limits.Text) + "'";
}
string oForm_Wording = "Null";
if (!string.IsNullOrEmpty(Form_Wording.Text))
{
oForm_Wording = "'" + SQLConvert(Form_Wording.Text) + "'";
}
string oIPT = "Null";
if (!string.IsNullOrEmpty(IPT.Text))
{
oIPT = IPT.Text;
}
string oNet_to_Landmark = "Null";
if (!string.IsNullOrEmpty(Net_to_Landmark.Text))
{
oNet_to_Landmark = Net_to_Landmark.Text;
}
string oNet_to_Landmark_Inc_Tax = "Null";
if (!string.IsNullOrEmpty(Net_to_Landmark_Inc_Tax.Text))
{
oNet_to_Landmark_Inc_Tax = Net_to_Landmark_Inc_Tax.Text;
}
string oNet_to_Capacity_Excl_IPT = "Null";
if (!string.IsNullOrEmpty(Net_to_Capacity_Excl_IPT.Text))
{
oNet_to_Capacity_Excl_IPT = Net_to_Capacity_Excl_IPT.Text;
}
string oPremium_Due_Date = "Null";
if (!string.IsNullOrEmpty(Premium_Due_Date.Text))
{
oPremium_Due_Date = "'" + Premium_Due_Date.Text + "'";
}
string oDebit_Note_Date = "Null";
if (!string.IsNullOrEmpty(Debit_Note_Date.Text))
{
oDebit_Note_Date = "'" + Debit_Note_Date.Text + "'";
}
string oPaid_Date = "Null";
if (!string.IsNullOrEmpty(Paid_Date.Text))
{
oPaid_Date = "'" + Paid_Date.Text + "'";
}
string oPaid_Amount = "Null";
if (!string.IsNullOrEmpty(Paid_Amount.Text))
{
oPaid_Amount = Paid_Amount.Text;
}
string oOverpaymentOrUnderpayment = "Null";
if (!string.IsNullOrEmpty(OverpaymentOrUnderpayment.Text))
{
oOverpaymentOrUnderpayment = OverpaymentOrUnderpayment.Text;
}
string oBank_Ref = "Null";
if (!string.IsNullOrEmpty(Bank_Ref.Text))
{
oBank_Ref = "'" + SQLConvert(Bank_Ref.Text) + "'";
}
string oPaid_to_Binder = "Null";
if (!string.IsNullOrEmpty(Paid_to_Binder.Text))
{
oPaid_to_Binder = Paid_to_Binder.Text;
}
string oPaid_to_Binder_Bdx_Date = "Null";
if (!string.IsNullOrEmpty(Paid_to_Binder_Bdx_Date.Text))
{
oPaid_to_Binder_Bdx_Date = "'" + Paid_to_Binder_Bdx_Date.Text + "'";
}
string oLine_Percentage = "Null";
if (!string.IsNullOrEmpty(Line_Percentage.Text))
{
oLine_Percentage = Line_Percentage.Text;
}
string oTax = "Null";
if (!string.IsNullOrEmpty(Tax.Text))
{
oTax = Tax.Text;
}
string oTotal_Binder_Brokerage = "Null";
if (!string.IsNullOrEmpty(Total_Binder_Brokerage.Text))
{
oTotal_Binder_Brokerage = Total_Binder_Brokerage.Text;
}
string oBroker_Brokerage_Percentage = "Null";
if (!string.IsNullOrEmpty(Broker_Brokerage_Percentage.Text))
{
oBroker_Brokerage_Percentage = Broker_Brokerage_Percentage.Text;
}
string oTOBA_Check = "0";
if (TOBA_Check.Checked)
{
oTOBA_Check = "1";
}
string oTOBA_Date = "Null";
if (!string.IsNullOrEmpty(TOBA_Date.Text))
{
oTOBA_Date = "'" + TOBA_Date.Text + "'";
}
string oDebit_Note_Issued = "0";
if (Debit_Note_Issued.Checked)
{
oDebit_Note_Issued = "1";
}
string oTPA_Percentage_1 = "Null";
if (!string.IsNullOrEmpty(TPA_Percentage_1.Text))
{
oTPA_Percentage_1 = TPA_Percentage_1.Text;
}
string oTPA_Percentage_2 = "Null";
if (!string.IsNullOrEmpty(TPA_Percentage_2.Text))
{
oTPA_Percentage_2 = TPA_Percentage_2.Text;
}
string oTPA_Percentage_3 = "Null";
if (!string.IsNullOrEmpty(TPA_Percentage_3.Text))
{
oTPA_Percentage_3 = TPA_Percentage_3.Text;
}
string oTPA_Percentage_4 = "Null";
if (!string.IsNullOrEmpty(TPA_Percentage_4.Text))
{
oTPA_Percentage_4 = TPA_Percentage_4.Text;
}
string oTPA_Amount_1 = "Null";
if (!string.IsNullOrEmpty(TPA_Amount_1.Text))
{
oTPA_Amount_1 = TPA_Amount_1.Text;
}
string oTPA_Amount_2 = "Null";
if (!string.IsNullOrEmpty(TPA_Amount_2.Text))
{
oTPA_Amount_2 = TPA_Amount_2.Text;
}
string oTPA_Amount_3 = "Null";
if (!string.IsNullOrEmpty(TPA_Amount_3.Text))
{
oTPA_Amount_3 = TPA_Amount_3.Text;
}
string oTPA_Amount_4 = "Null";
if (!string.IsNullOrEmpty(TPA_Amount_4.Text))
{
oTPA_Amount_4 = TPA_Amount_4.Text;
}
string oComments = "Null";
if (!string.IsNullOrEmpty(Convert.ToString(Comments.Text)))
{
string StringComment = Convert.ToString(Comments.Text.Trim());
//replacing "enter" i.e. "\n" by ";"
string temp = StringComment.Replace("\r\n", "|");
oComments = "'" + SQLConvert(temp) + "'";
}
string oReasonDeclined = "Null";
if (!string.IsNullOrEmpty(Convert.ToString(Reason_Declined.Text)))
{
string StringReasonDeclined = Convert.ToString(Reason_Declined.Text.Trim());
//replacing "enter" i.e. "\n" by ";"
string temp = StringReasonDeclined.Replace("\r\n", "|");
oReasonDeclined = "'" + SQLConvert(temp) + "'";
}
string oConditions = "Null";
foreach (ListItem item in Conditions.Items)
{
if (item.Selected)
{
string selectedValue = item.Value;
if (oConditions == "Null")
{
oConditions = selectedValue;
}
else
{
oConditions = oConditions + "|" + selectedValue;
}
}
}
oConditions = "'" + SQLConvert(oConditions) + "'";
string oUserEmail = "'" + this.lblEmailUser.Text + "'";
string S = "";
if (this.LabelPolicyID.Text == "")
{
S = S + "Insert Into [Policies] ";
S = S + "(Status,Underwriter, Policy_Number, Type_of_Risk, Date_Seen, TOBA_Check, TOBA_Date, Assured_Name, ";
S = S + "Broker, Broker_Contact_Name, Broker_Email, Inception_Date, Expiry_Date, Binder, ";
S = S + "Class_of_Business, Country, StateOrProvince, Currency, Fees, Turnover, Profession, Limit_of_Indemnity, ";
S = S + "Basis_Of_Limit, Layer, Deductible, Reinstatement, Retroactive_Date, Costs_InclusiveOrExclusive, ";
S = S + "Gross_Premium, Line_Percentage, Premium_of_Line, Net_Premium_to_Binder,Broker_Brokerage_Percentage, ";
S = S + "TPA_Percentage_1, TPA_Percentage_2, TPA_Percentage_3, TPA_Percentage_4, Landmark_Commission_Percentage, ";
S = S + "Total_Binder_Brokerage, Landmark_Commission_Amount, Broker_Brokerage_Amount, TPA_Amount_1, TPA_Amount_2, ";
S = S + "TPA_Amount_3, TPA_Amount_4, LCU_Amount, Landmark_Policy_Fee, Choice_of_Law, Jurisdiction, ";
S = S + "Territorial_Limits, Form_Wording, IPT, Tax, Net_to_Landmark, ";
S = S + "Net_to_Landmark_Inc_Tax, Net_to_Capacity_Excl_IPT, Premium_Due_Date, Debit_Note_Issued, Debit_Note_Date, ";
S = S + "Paid_Date, Paid_Amount, OverpaymentOrUnderpayment, Bank_Ref, Paid_to_Binder, Paid_to_Binder_Bdx_Date, ";
S = S + "Comments, Conditions, Reason_Declined, User_Email)";
S = S + " Values (";
S = S + "'Seen'," + oUnderwriter + "," + oPolicy_Number + "," + oType_of_Risk + "," + oDate_Seen + "," + oTOBA_Check + "," + oTOBA_Date + "," + oAssured_Name;
S = S + "," + oBroker + "," + oBroker_Contact_Name + "," + oBroker_Email + "," + oInception_Date + "," + oExpiry_Date + "," + oBinder;
S = S + "," + oClass_of_Business + "," + oCountry + "," + oStateOrProvince + "," + oCurrency + "," + oFees + "," + oTurnover + "," + oProfession + "," + oLimit_of_Indemnity;
S = S + "," + oBasis_Of_Limit + "," + oLayer + "," + oDeductible + "," + oReinstatement + "," + oRetroactive_Date + "," + oCosts_InclusiveOrExclusive;
S = S + "," + oGross_Premium + "," + oLine_Percentage + "," + oPremium_of_Line + "," + oNet_Premium_to_Binder + "," + oBroker_Brokerage_Percentage;
S = S + "," + oTPA_Percentage_1 + "," + oTPA_Percentage_2 + "," + oTPA_Percentage_3 + "," + oTPA_Percentage_4 + "," + oLandmark_Commission_Percentage;
S = S + "," + oTotal_Binder_Brokerage + "," + oLandmark_Commission_Amount + "," + oBroker_Brokerage_Amount + "," + oTPA_Amount_1 + "," + oTPA_Amount_2;
S = S + "," + oTPA_Amount_3 + "," + oTPA_Amount_4 + "," + oLCU_Amount + "," + oLandmark_Policy_Fee + "," + oChoice_of_Law + "," + oJurisdiction;
S = S + "," + oTerritorial_Limits + ", " + oForm_Wording + ", " + oIPT + "," + oTax + "," + oNet_to_Landmark;
S = S + "," + oNet_to_Landmark_Inc_Tax + "," + oNet_to_Capacity_Excl_IPT + "," + oPremium_Due_Date + "," + oDebit_Note_Issued + "," + oDebit_Note_Date;
S = S + "," + oPaid_Date + "," + oPaid_Amount + "," + oOverpaymentOrUnderpayment + "," + oBank_Ref + "," + oPaid_to_Binder + "," + oPaid_to_Binder_Bdx_Date;
S = S + "," + oComments + "," + oConditions + "," + oReasonDeclined + "," + oUserEmail + ")";
Console.WriteLine(S);
System.Diagnostics.Debug.WriteLine(S);
int oInsertGetID = oInsertSQL_ReturnID(S);
if (oInsertGetID == 0)
{
this.Label_ErrorMessage.Text = "Save failed. Please check your internet connection";
return false;
}
else
{
this.LabelPolicyID.Text = oInsertGetID.ToString();
this.lblNewOrEdit.Text = "Edit Risk/Policy";
return true;
}
}
else
{
S = S + "Update [Policies] Set ";
S = S + "Status=" + oStatus + ",Underwriter=" + oUnderwriter + ", Policy_Number=" + oPolicy_Number + ", Type_of_Risk=" + oType_of_Risk + ", Date_Seen=" + oDate_Seen + ", TOBA_Check=" + oTOBA_Check + ", TOBA_Date=" + oTOBA_Date + ", Assured_Name=" + oAssured_Name + ", ";
S = S + "Broker=" + oBroker + ", Broker_Contact_Name=" + oBroker_Contact_Name + ", Broker_Email=" + oBroker_Email + ", Inception_Date=" + oInception_Date + ", Expiry_Date=" + oExpiry_Date + ", Binder=" + oBinder + ", ";
S = S + "Class_of_Business=" + oClass_of_Business + ", Country=" + oCountry + ", StateOrProvince=" + oStateOrProvince + ", Currency=" + oCurrency + ", Fees=" + oFees + ", Turnover=" + oTurnover + ", Profession=" + oProfession + ", Limit_of_Indemnity=" + oLimit_of_Indemnity + ", ";
S = S + "Basis_Of_Limit=" + oBasis_Of_Limit + ", Layer=" + oLayer + ", Deductible=" + oDeductible + ", Reinstatement=" + oReinstatement + ", Retroactive_Date=" + oRetroactive_Date + ", Costs_InclusiveOrExclusive=" + oCosts_InclusiveOrExclusive + ", ";
S = S + "Gross_Premium=" + oGross_Premium + ", Line_Percentage=" + oLine_Percentage + ", Premium_of_Line=" + oPremium_of_Line + ", Net_Premium_to_Binder=" + oNet_Premium_to_Binder + ",Broker_Brokerage_Percentage=" + oBroker_Brokerage_Percentage + ", ";
S = S + "TPA_Percentage_1=" + oTPA_Percentage_1 + ", TPA_Percentage_2=" + oTPA_Percentage_2 + ", TPA_Percentage_3=" + oTPA_Percentage_3 + ", TPA_Percentage_4=" + oTPA_Percentage_4 + ", Landmark_Commission_Percentage=" + oLandmark_Commission_Percentage + ", ";
S = S + "Total_Binder_Brokerage=" + oTotal_Binder_Brokerage + ", Landmark_Commission_Amount=" + oLandmark_Commission_Amount + ", Broker_Brokerage_Amount=" + oBroker_Brokerage_Amount + ", TPA_Amount_1=" + oTPA_Amount_1 + ", TPA_Amount_2=" + oTPA_Amount_2 + ", ";
S = S + "TPA_Amount_3=" + oTPA_Amount_3 + ", TPA_Amount_4=" + oTPA_Amount_4 + ", LCU_Amount=" + oLCU_Amount + ", Landmark_Policy_Fee=" + oLandmark_Policy_Fee + ", Choice_of_Law=" + oChoice_of_Law + ", Jurisdiction=" + oJurisdiction + ", ";
S = S + "Territorial_Limits=" + oTerritorial_Limits + ", Form_Wording=" + oForm_Wording + ", IPT=" + oIPT + ", Tax=" + oTax + ", Net_to_Landmark=" + oNet_to_Landmark + ", ";
S = S + "Net_to_Landmark_Inc_Tax=" + oNet_to_Landmark_Inc_Tax + ", Net_to_Capacity_Excl_IPT=" + oNet_to_Capacity_Excl_IPT + ", Premium_Due_Date=" + oPremium_Due_Date + ", Debit_Note_Issued=" + oDebit_Note_Issued + ", Debit_Note_Date=" + oDebit_Note_Date + ", ";
S = S + "Paid_Date=" + oPaid_Date + ", Paid_Amount=" + oPaid_Amount + ", OverpaymentOrUnderpayment=" + oOverpaymentOrUnderpayment + ", Bank_Ref=" + oBank_Ref + ", Paid_to_Binder=" + oPaid_to_Binder + ", Paid_to_Binder_Bdx_Date=" + oPaid_to_Binder_Bdx_Date + ", ";
S = S + "Comments=" + oComments + ", Conditions=" + oConditions + ", User_Email =" + oUserEmail;
S = S + " Where PolicyID = " + this.LabelPolicyID.Text;
}
Console.WriteLine(S);
System.Diagnostics.Debug.WriteLine(S);
oRun_SQL(S);
return true;
}ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Is there a reason why you're not using a stored procedure?
ASKER
Hi Molly. I have never used stored procedures. Could you perhaps give me a few pointers
ASKER
I asked a related question
ASP.net Parameterization with SQL Injection | Experts Exchange (experts-exchange.com)
ASP.net Parameterization with SQL Injection | Experts Exchange (experts-exchange.com)
Here's a tutorial to get you started.
https://www.mssqltips.com/sqlservertip/5810/working-with-sql-server-stored-procedures-and-net/
Unlike the example, whenever I create a stored procedure, I go and right-click on Stored Procedures and select "new" and a template comes up and I just start typing my code in that.
https://www.mssqltips.com/sqlservertip/5810/working-with-sql-server-stored-procedures-and-net/
Unlike the example, whenever I create a stored procedure, I go and right-click on Stored Procedures and select "new" and a template comes up and I just start typing my code in that.