We Keep Coding

Expression might contain invalid token SSIS

I try to execute a simple sql task with variable, so I create my variable and into it I insert delete statement like:
DELETE FROM fiscal_cxp WHERE EMPRESA = '"+#[User::cia]+"'
but when I try to evaluate expression I get an issue:
I review query several times but I dont find nothing wrong. Can someone knows what is wrong there? Regards

You're missing the opening and closing quotes:
"DELETE FROM fiscal_cxp WHERE EMPRESA = '" + #[User::cia] + "'"

sql commands taking to much space

Hello guys i building a web app with asp.net and using sql ( MS SQL server 2000 ) and now after getting closer to finish i noticed that the sql part of my code taking huge amounts of space... and i was wondering what ways are there to make it easier to maintain? maybe even change to some other language?
Here is a simple example of the way my sql code is built ( there are some much longer commands in my code but they built this way) :
Dim connectionString As String = ConfigurationManager.ConnectionStrings("ConnectionString").ToString()
Dim query As String = "SELECT workerName FROM [poWorker] WHERE ( companyId = #companyId ) AND (workerId=#workerId) "
Using con As New SqlConnection(connectionString)
con.Open()
Using da As New SqlDataAdapter()
Using command As New SqlCommand(query, con)
command.Parameters.Add(New SqlParameter("#workerId", Session("userId")))
command.Parameters.Add(New SqlParameter("#companyId", Session("companyId")))
Dim ds As New DataSet()
da.SelectCommand = command
da.Fill(ds, "test")
If ds.Tables(0).Rows.Count = 1 Then
managerName = ds.Tables(0).Rows(0)(0).ToString()
End If
End Using
End Using
con.Close()
End Using
This is taking a lot of space and i got a lot of sql written this way. I am sure there is some solution in making it easier to maintain, probably using a newer technology? Maybe if i could figure out a way to call all the sql commands from 1-2 functions but so far i failed to do such a thing since there big differences between many of those.

In the example you give, you could simplify the code by using ExecuteScalar - as you are just returning a single value. For example:
Dim query As String = "SELECT workerName FROM [poWorker] WHERE ( companyId = #companyId ) AND (workerId=#workerId) "
Using con As New SqlConnection(connectionString)
con.Open()
Using command As New SqlCommand(query, con)
command.Parameters.Add(New SqlParameter("#workerId", Session("userId")))
command.Parameters.Add(New SqlParameter("#companyId", Session("companyId")))
managerName = command.ExecuteScalar().ToString();
End Using
con.Close()
End Using

A modern way to access databases from code is to use an ORM. The one that Microsoft provides with the .NET Framework is Entity Framework. This allows you to write your query like this:
Dim worker as Worker =
dbContext.Workers
.Where(Function (w) (w.companyId = Session("companyId") and
w.workerId = Session("userId")))
.SingleOrDefault()
If worker IsNot Nothing Then
managerName = worker.workerName
End If
This approach also provides a far more robust approach to dynamic queries as opposed to piecing SQL strings together. For example, you can dynamically swap out Where clauses, OrderBy clauses, and so on, and still have completely typesafe code.
Entity Framework does not have builtin support for SQL Server 2000, but apparently there is a workaround.

The modern way is to no use SQL directly, but rather an OR-Mapper such as Entity Framework that allows you to query using Linq.
The query you show above would the be reduced to something shorter:
using(new context = MyAppDbContext())
{
var workerId = Session["userId"];
var companyId = Session["companyId"];
managerName = context.PoWorker
.Single(w => w.companyId == companyId && w.workerId == workerId)
.workerName;
}
Sorry for using C# syntax, but I hope you can figure out the intention.

VB.Net Sqlite - Parameterized query not working

I never asked any questions on stackoverflow but it already brought me tons of answers !
But this time, after some extended research, I have to ask it myself.
I'm using VB.Net with Sqlite and my query doesn't return any value when I execute it with parameters. I guess this has something to do with the fact SituationString contains commas but I really can't figure it out.
Here's is my code :
dim ChildCtx as Integer
dim SituationString as String
SituationString="968,970,978,979,980,981,995,1022,1099,1119"
With DataBase
.SQL_CMD.Parameters.Clear()
.SQL_CMD.CommandText = "SELECT SERVCTX_NO FROM SERVCTX WHERE SERVCTX_NO IN (#situationstring) AND MASTER = '1'"
.SQL_CMD.Parameters.Add("#situationstring", SqlDbType.VarChar, 255).Value = SituationString
ChildCtx = .SQL_CMD.ExecuteScalar
.SQL_CMD.Parameters.Clear()
End with
Connection is open and query works out fine if I write the whole query into one string.
Thanks,

You are mixing two techincs: merging constant data into SQL command and using parameters to pass data.
I suppose SituationString is a list of integer you expect for SERVCTX_NO.
So, you must merge it into statement:
.SQL_CMD.CommandText = "SELECT SERVCTX_NO FROM SERVCTX WHERE SERVCTX_NO IN ("+SituationString+") AND MASTER = '1'"
ChildCtx = .SQL_CMD.ExecuteScalar
Using parameters, as you did, SERVCTX_NO would be expected to be a string with 968,970,978,979,980,981,995,1022,1099,1119 exact content!

SQL injection for the following regular expression

I am looking for backdoors in various softwares and wondering if the following code is vulnerable to a sql injection.
There's an email field with the following validation expression. (ASPX/CS)
ValidationExpression="\w+([-+.']\w+)*#\w+([-.]\w+)*\.\w+([-.]\w+)*">
Is it possible to exploit the above to drop a table for example or do anything malicious using a SQL injection?
Thanks
Regards
EDIT 1: People have asked me how this was implemented —
SqlConnection conn = new SqlConnection(snpConnectionString);
SqlCommand command = conn.CreateCommand();
conn.Open();
command.CommandText = "INSERT INTO TABLE_ VALUES ('" + TextBoxFN.Text + "','" + TextBoxLN.Text + "','" + sb1.ToString() + "','" + TextBoxEA.Text + "','" + sb.ToString() + "',0,'" + DateTime.Now + "')";
try{
SqlDataReader reader = command.ExecuteReader();
}
catch
{
Response.Redirect("Error.aspx", true);
}
TextBoxEA.text corresponds to the email address.

Regular expression validation is great for the UI or business layer to check user input to prevent errors.
It is less great for preventing SQL injection.
If the code does not use parameterized queries, it is vulnerable either now, or later after someone makes a minor error updating the regular expression to conform to a new business requirement.

It is best to use parameterized queries like Eric stated, but looking at the regex only the following characters are valid
A-Za-z0-9_-+.'
Without a space I don't think they could inject SQL, but if it was me I'd still make sure to use parameterized queries to be safe.

SQL syntax error in Update statement VB.net

I'm getting a strange syntax error when I run this in VB:
SQLString = "UPDATE Login SET Password = '" + PasswordTextBox.Text + "'"
SQLString += " WHERE UserName = '" + UserNameTextBox.Text + "'"
The Username is checked before getting to this part and is definitly in the database.
It gives an exception saying that there's a syntax error in update statement. Anyone have any idea what's wrong?

LOGIN is a reserved word in SQL Server (used for login account management), so in order to use it in a query (i.e. a column name) you need to escape it with [], so use [LOGIN] as the field name.
You should never use string concatenation and pass that to your SQL database, as you are exposing yourself to SQL Injection attacks.
You should use the SqlCommand object and pass through parameters. See this article on how to do so.
SQLString = "UPDATE [Login] SET Password = #password "
SQLString += " WHERE UserName = #userName"
...
dbCommand.Parameters.Add("#password", SqlDbType.VarChar, 50)
dbCommand.Parameters["#password"].Value = PasswordTextBox.Text
dbCommand.Parameters.Add("#userName", SqlDbType.VarChar, 50)
dbCommand.Parameters["#userName"].Value = UserNameTextBox.Text

I am pretty sure that Login is a reserved word, try changing Login to [Login]

Password is a reserved word so [Password] fixes it, my lecturer fixed to for me :)

Instead of showing how you're building the statement, show us what's in SQLString when the statement is executed.
Also, try enclosing the column and table names in the identifier quote characters, which are [ and ] for Microsoft, and ` (on the tilde key) for many others databases.

Without knowing what you are using for your actual password and username, my guess is that some character in one (or both) of those are causing the sql statement to end prematurely. You should really use parameters when executing sql like this.
Take a look at this: http://msdn.microsoft.com/en-us/library/ms998271.aspx

I agree with some of the previous answers, about using parameters (I gave + 1 to #Oded) and using [ ] with tablenames and fieldnames (I gave +1 to SQLMenace).
In conclussion, I think this is the most correct way to launch your query:
using(SqlConnection connection = new SqlConnection("<your connection string>"))
{
connection.Open();
SqlCommand command = new SqlCommand();
command.Connection = connection;
command.CommandText = "UPDATE [Login] SET [Password] = #PasswordParameter WHERE [UserName] = #UserNameParameter";
command.Parameters.AddWithValue("#PasswordParameter", PasswordTextBox.Text);
command.Parameters.AddWithValue("#UserNameParameter", UserNameTextBox.Text);
command.ExecuteNonQuery();
}

I would recommend surrounding the words "login" and "password" with tick marks to let the handler know that they are not to be rendered as reserved words.
So:
Update 'login' SET 'password'
But rather than single-quotes, use the tick mark (upper-left key on the keyboard). I can't demonstrate it correctly as StackOverflow will treat it as a class if it's surrounded in tick marks.