When I want to debug this code it gives error on objConnection.Open():
sqlExeption was Unhandled and say(A
network-related or instance-specific
error occurred while establishing a
connection to SQL Server. The server
was not found or was not accessible.
Verify that the instance name is
correct and that SQL Server is
configured to allow remote
connections. (provider: Named Pipes
Provider, error: 40 - Could not open a
connection to SQL Server))
SqlConnection objConnection = new SqlConnection(
"server=localhost;database=pubs;" +
"user id=sa;password=");
SqlDataAdapter objDataAdapter = new SqlDataAdapter();
DataSet objDataSet = new DataSet();
public Form1()
{
InitializeComponent();
}
private void Form1_Load(object sender, EventArgs e)
{
// Set the SelectCommand properties...
objDataAdapter.SelectCommand = new SqlCommand();
objDataAdapter.SelectCommand.Connection =
objConnection;
objDataAdapter.SelectCommand.CommandText =
"SELECT au_lname, au_fname, title, price " +
"FROM authors " +
"JOIN titleauthor ON authors.au_id = " +
"titleauthor.au_id " +
"JOIN titles ON titleauthor.title_id = " +
"titles.title_id " +
"ORDER BY au_lname, au_fname";
objDataAdapter.SelectCommand.CommandType =
CommandType.Text;
// Open the database connection...
**objConnection.Open();**
// Fill the DataSet object with data...
objDataAdapter.Fill(objDataSet, "authors");
// Close the database connection...
objConnection.Close();
// Set the DataGridView properties
// to bind it to our data...
grdAuthorTitles.AutoGenerateColumns = true;
grdAuthorTitles.DataSource = objDataSet;
grdAuthorTitles.DataMember = "authors";
// Clean up
objDataAdapter = null;
objConnection = null;
}
This error typically occurs when your server name is wrong or the sql server is not on.
localhost and (local) are treated differently for sql server. You might want to try (local).
Here's a list of connection strings to help you out.
If you are using sql express then you might want to change it from localhost to .\sqlexpress.
To check that your SQL Server is on be sure the services for it are on. You can do this in services and also in the Configuration Manager.
First of all, with the SqlDataAdapter, you don't need to specifically open and close the SqlConnection yourself - the adapter will do that for you.
Secondly, I'd strongly recommend putting all your ADO.NET code into using(.....) { .... } blocks as a best practise.
Furthermore, on your local PC, typically you don't need to specify a specific user for your database, but you can use the built-in Windows authentication directly (integrated security=SSPI) in your SQL connection string.
And as a last thing: if you don't need multiple tables in your DataSet, it's easier and better to use DataTable instead - less overhead, less performance penalties. No need to specify table names as data members and so forth. Just plain easier.
Try this code:
public Form1()
{
InitializeComponent();
}
private void Form1_Load(object sender, EventArgs e)
{
using(SqlConnection objConnection = new SqlConnection("server=(local);database=pubs;integrated security=SSPI;"))
{
SqlDataAdapter objDataAdapter = new SqlDataAdapter();
// Set the SelectCommand properties...
objDataAdapter.SelectCommand = new SqlCommand();
objDataAdapter.SelectCommand.Connection = objConnection;
objDataAdapter.SelectCommand.CommandText =
"SELECT au_lname, au_fname, title, price FROM authors " +
"JOIN titleauthor ON authors.au_id = titleauthor.au_id " +
"JOIN titles ON titleauthor.title_id = titles.title_id " +
"ORDER BY au_lname, au_fname";
DataTable tblData = new DataTable();
// Fill the DataSet object with data...
objDataAdapter.Fill(tblData);
// Set the DataGridView properties
// to bind it to our data...
grdAuthorTitles.AutoGenerateColumns = true;
grdAuthorTitles.DataSource = tblData;
}
}
That way, disposal of the referenced classes will be handled automatically for you.
Related
We are using 3-Tier Architecture in ASP.Net.
There are 3 Layers
Presentation
Business
Data Access
The Data Access Layer contains the GetData and ExecuteQuery etc function.
What I want to know is that, that want to call the View directly from the Presentation Layer. Is there any chance of SQL injection in calling a view from front-end without using stored procedure?
Presentation Layer (C#)
protected void btnView_Click(object sender, EventArgs e)
{
DL obj = new DL();
DataTable tb = new DataTable();
string query = "select * from ViewTeacher where FID = " + txtName.Text;
tb = obj.GetData(query);
}
DBAccess
public DataTable GetData(string query)
{
DataTable datatable = new DataTable();
SqlCommand cmd = new SqlCommand();
cmd.Connection = con;
cmd.CommandText = query;
try
{
if (cmd.Connection.State != ConnectionState.Open)
{
cmd.Connection.Open();
}
using (SqlDataAdapter da = new SqlDataAdapter(cmd))
{
da.Fill(datatable);
}
}
catch (Exception ex)
{
throw new ArgumentException(ex.Message);
}
return datatable;
}
How are you "calling a view"? If you're running an ad-hoc query of:
SELECT <columns> FROM View WHERE ColumnX = 'Y'
and if that query is being constructed using (potentially) hostile input then yes, of course that can be subject to SQL injection - the whole point of injection is that the attacker can change the nature of the query:
SELECT <columns> FROM View WHERE ColumnX = 'Z'
UNION ALL
SELECT name,0,0,0,0 FROM INFORMATION_SCHEMA.TABLES --'
The attacker isn't limited to just the objects that are present in the original query.
The untrustworthy input in the two above queries was:
Y
and
Z'
UNION ALL
SELECT name,0,0,0,0 FROM INFORMATION_SCHEMA.TABLES --
As you are writing the query as follows that takes value from a textbox, 100% there is posibility for sql injection.
string query = "select * from ViewTeacher where FID = " + txtName.Text;
There should be no chance of SQL Injection while calling a view from front end, as views don't take parameters.
reference :
can we pass parameter to a view in sql?
Hello everyone i am creating a settings page for another application using mvc4. In the settings page:
1.It contains two text areas wherein the user can type anything.
2.After typing if the user clicks submit button, the text he has written is saved in a sql database.
3.The main application will read that data from the database and display it.
Here are my respective codes:
Model:
public string PartnerInfo1 { get; set; }
public string PartnerInfo2 { get; set; }
Controller:
[HttpPost]
public ActionResult Index(AddDetailModel model)
{
pinfo1 = model.PartnerInfo1;
pinfo2 = model.PartnerInfo2;
SqlConnection con = new SqlConnection(ConfigurationManager.ConnectionStrings["Sample"].ConnectionString);
con.Open();
SqlCommand cmd = new SqlCommand("update dbo.Partner_Design set PartnerInfo1='" + pinfo1 + "',PartnerInfo2='" + pinfo2 + "' where [PartnerID]='cs'", con);
cmd.ExecuteNonQuery();
return RedirectToAction("Index");
}
and in the view:
#Html.TextAreaFor(m => m.PartnerInfo1)
#Html.TextAreaFor(m => m.PartnerInfo2)
in the database, the corresponding table contains two columns PartnerInfo1,PartnerInfo2 and their datatype is nvarchar(max).
My problem is when i type apostrophe in text area it gives me error.For example if i type "world's" it gives error on clicking submit button.
This is the error:
Incorrect syntax near 's'.
Unclosed quotation mark after the character string ''.
Please suggest what i can do to avoid this.Any help would be appreciated.
Never do that - it's unsafe and allow to make sql injection:
SqlCommand cmd = new SqlCommand("update dbo.Partner_Design set PartnerInfo1='" + pinfo1 + "',PartnerInfo2='" + pinfo2 + "' where [PartnerID]='cs'", con);
Instead of that use the following parameters syntax:
SqlCommand cmd = new SqlCommand("update dbo.Partner_Design set PartnerInfo1=#pinfo1, PartnerInfo2=#pinfo2 where [PartnerID]='cs'", con);
cmd.Parameters.AddWithValue("#pinfo1", pinfo1);
cmd.Parameters.AddWithValue("#pinfo2", pinfo2);
Your method expose your query to sql injection attacks. You are much better using a parameterised query which will sort out your ' issue as well.
string connString = ConfigurationManager.ConnectionStrings["Sample"].ConnectionString;
using (SqlConnection con = new SqlConnection(connString))
{
SqlCommand cmd = new SqlCommand("Update dbo.Partner_Design " +
"Set PartnerInfo1=#pinfo1, " +
"PartnerInfo2=#pinfo2 " +
"Where [PartnerID]=#partnerId", con);
cmd.Parameters.AddWithValue("#pinfo1", model.PartnerInfo1);
cmd.Parameters.AddWithValue("#pinfo2", model.PartnerInfo2);
cmd.Parameters.AddWithValue("#partnerId", "cs");
con.Open();
cmd.ExecuteNonQuery();
}
You can escape the single quote by prefixing it with another single quote, which would require doing a replace on your string before you add it to the query i.e.:
pinfo1 = pinfo1.Replace("'", "''");
pinfo2 = pinfo2.Replace("'", "''");
SqlCommand cmd = new SqlCommand("update dbo.Partner_Design set PartnerInfo1='" + pinfo1 + "',PartnerInfo2='" + pinfo2 + "' where [PartnerID]='cs'", con);
I would however strongly advise against this and take the advice of the other responses that instead use parameterised SQL which is much more secure. Note also that this solution will only solve your single quotes problem, and will still cause issues with other special characters that need escaping individually. As such whilst this should answer your question, the solutions proposed by SÅ‚awomir Rosiek and Kaf are much more comprehensive, much safer, and are best practice.
The method you are using leaves you open to SQL injection attacks.
Below is the code for my Select * Function - It WORKS well and does everything great until i change the SQL string from Select * From Company to
query = "Select * From #1";
and then do the following
query = "Select * From #1";
OleDbCommand Command = new OleDbCommand(query, sqlConnStr);
DataTable Table = new DataTable();
DataSet dataSet = new DataSet();
Table = null;
//Add Parameters
Command.Parameters.AddWithValue("#1", SQLTables.Company);
try
{
Command.ExecuteNonQuery();
adapter.SelectCommand = Command;
adapter.Fill(dataSet);
Table = dataSet.Tables[0];
}
catch (Exception e)
{
MessageBox.Show("A Error occured whilst trying to execute the command.\n" + e.Message);
}
return Table;
The DBMS keeps sending back "Query incomplete" - I assume The Command variable is sending the string query through without changing the Parameter from #1 to Company
Here is a piece of code (mine) where this does work. This is an insert statement rather that a select - Correct me if i am wrong but should it not also work with the SELECT aswell
private void MainActionsInsert(string Action, bool Checked)
{
OleDbCommand Command = new OleDbCommand("INSERT INTO MainActions Values (ID, Action, BoolValue)", DataBaseConnection);
//Add Parameters
Command.Parameters.AddWithValue("ID", GenerateID());
Command.Parameters.AddWithValue("Action", Action);
Command.Parameters.AddWithValue("BoolValue",Checked);
//Add Command
MainActionsAdapter.InsertCommand = Command;
//Execute Agains DataBase
Command.ExecuteNonQuery();
//Accept Changes
}
`
OLEdb doesn't recognize named parameters. You must use ? in the query text.
However, you also can't use dynamic table names with parameterized queries, so even using a ? will not help.
You need to use full dynamic SQL, though that can open you up to SQL Injection. Make sure you read the full article I linked.
OleDbCommand Does accept Parameterized SQL just not in the From Clause - It Has to be either in a WHERE clause or something like that. Like you said it Worked with the insert function because it expects "parameters" there. For example this will work
query = "Select * From Company Where #param = 1";
OleDbCommand Command = new OleDbCommand(query, sqlConnStr);
DataTable Table = new DataTable();
DataSet dataSet = new DataSet();
Table = null;
//Add Parameters
Command.Parameters.AddWithValue("param", "ID");
try
{
Command.ExecuteNonQuery();
adapter.SelectCommand = Command;
adapter.Fill(dataSet);
Table = dataSet.Tables[0];
}
catch (Exception e)
{
MessageBox.Show("A Error occured whilst trying to execute the command.\n" + e.Message);
}
return Table;
Funny though that it doesn't work for the Select part though
I have a few tables in a c# application I'm currently working on and for 4/5 of the tables everything saves perfectly fine no issues. For the 5th table everything seems good until I reload the program again (without modifying the code or working with a seperate install so that the data doesn't go away) The 4/5 tables are fine but the 5th doesn't have any records in it after it has been restarted (but it did the last time it was running). Below is some code excerpts. I have tried a few different solutions online including creating a string to run the sql commands on the database manually and creating the row directly as opposed to the below implementation which uses a generic data row.
//From main window
private void newInvoice_Click(object sender, EventArgs e)
{
PosDatabaseDataSet.InvoicesRow newInvoice = posDatabaseDataSet1.Invoices.NewInvoicesRow();
Invoices iForm = new Invoices(newInvoice, posDatabaseDataSet1, true);
}
//Invoices Table save [Works] (from Invoices.cs)
private void saveInvoice_Click(object sender, EventArgs e)
{
iRecord.Date = Convert.ToDateTime(this.dateField.Text);
iRecord.InvoiceNo = Convert.ToInt32(this.invoiceNumField.Text);
iRecord.Subtotal = (float) Convert.ToDouble(this.subtotalField.Text);
iRecord.Tax1 = (float)Convert.ToDouble(this.hstField.Text);
iRecord.Total = (float)Convert.ToDouble(this.totalField.Text);
iRecord.BillTo = this.billToField.Text;
invoicesBindingSource.EndEdit();
if (newRecord)
{
dSet.Invoices.Rows.Add(iRecord);
invoicesTableAdapter.Adapter.Update(dSet.Invoices);
}
else
{
string connString = Properties.Settings.Default.PosDatabaseConnectionString;
string queryString = "UPDATE dbo.Invoices set ";
queryString += "Date='" + iRecord.Date+"'";
queryString += ", Subtotal=" + iRecord.Subtotal;
queryString += ", Tax1=" + iRecord.Tax1.ToString("N2");
queryString += ", Total=" + iRecord.Total;
queryString += " WHERE InvoiceNo=" + iRecord.InvoiceNo;
using (SqlConnection dbConn = new SqlConnection(connString))
{
SqlCommand command = new SqlCommand(queryString, dbConn);
dbConn.Open();
SqlDataReader r = command.ExecuteReader();
dbConn.Close();
}
}
dSet.Invoices.AcceptChanges();
}
//Invoice Items save [works until restart] (also from Invoices.cs)
private void addLine_Click(object sender, EventArgs e)
{
DataRow iRow = dSet.Tables["InvoiceItems"].NewRow();
iRow["Cost"] = (float)Convert.ToDouble(this.costField.Text);
iRow["Description"] = this.descriptionField.Text;
iRow["InvoiceNo"] = Convert.ToInt32(this.invoiceNumField.Text);
iRow["JobId"] = Convert.ToInt32(this.jobIdField.Text);
iRow["Qty"] = Convert.ToInt32(this.quantityField.Text);
iRow["SalesPerson"] = Convert.ToInt32(this.salesPersonField.Text);
iRow["SKU"] = Convert.ToInt32(this.skuField.Text);
dSet.Tables["InvoiceItems"].Rows.Add(iRow);
invoiceItemsTableAdapter.Adapter.Update(dSet,"InvoiceItems");
PosDatabaseDataSet.InvoiceItemsDataTable dTable = (PosDatabaseDataSet.InvoiceItemsDataTable)dSet.InvoiceItems.Copy();
DataRow[] d = dTable.Select("InvoiceNo=" + invNo.ToString());
invoiceItemsView.DataSource = d;
}
Thanks in advance for any insight.
UPDATE: October 17, 2011. I am still unable to get this working is there any more ideas out there?
you must execute your Sql Command in order to persis the changes you made.
using (SqlConnection dbConn = new SqlConnection(connString))
{
dbConn.Open();
SqlCommand command = new SqlCommand(queryString, dbConn);
command.ExecuteNonQuery();
dbConn.Close();
}
The ExecuteReader method is intended (as the name says) to read the data from a SQL table. You need to use a different method as you can see above.
We need some more info first, you haven't shown the case where your code fails.
Common mistakes on this kind of code is calling DataSet.AcceptChanges() before actually committing the changes to the database.
Second is a conflict between databound data through the binding source vs edits to the dataset directly.
Lets see the appropriate code and we can try and help.
Set a breakpoint after teh call to invoiceItemsTableAdapter and check the InvoiceItems table for the row you have added. Release the breakpoint and then close your app. Check the database again. I would say that another table may be forcibly overwriting the invoice item table.
I am trying to write three variables into a database table. The code I have is:
sqlCmd.CommandText = "INSERT INTO dbo.PortfolioValues(StudentNumber,TimeStamp,PortfolioValue) VALUES(StudentNumber.ToString() , Time.ToString() , Total.ToString())" + dbConnection;
sqlCmd.ExecuteNonQuery();
sqlTran.Commit();
dbconnection is the name of the connection. It does not do anything. It is in a try-catch but goes straight to catch.
Thanks in advance.
You should
avoid concatenating together your SQL statement - avoid SQL injection attacks! Use parametrized queries instead!
use using blocks for your SqlConnection and SqlCommand objects
Try something like this:
string _connString = "........";
string queryStmt =
"INSERT INTO dbo.PortfolioValues(StudentNumber, TimeStamp, PortfolioValue) " +
"VALUES(#StudentNumber, #TimeStamp, #TotalValue)";
using(SqlConnection _con = new SqlConnection(_connString))
using(SqlCommad _cmd = new SQlCommand(queryStmt, _con))
{
// create paramters and set values
_cmd.Parameters.Add("#StudentNumber", SqlDbType.Int).Value = StudentNumber;
// do the same for the other two parameters
try
{
_con.Open();
_cmd.ExecuteNonQuery();
_con.Close();
}
catch(Exception exc)
{
// handle exception
}
}
StudentNumber.ToString() cannot be contained in a query! It's java code not sql...
//Am asuming you are using C# and the System.Data.SqlClient
//here is how you might do what you want
private static void CreateCommand(string queryString,
string connectionString)
{
using (SqlConnection connection = new SqlConnection(
connectionString))
{
SqlCommand command = new SqlCommand(queryString, connection);
command.Connection.Open();
command.ExecuteNonQuery();
}
}
//so that you use it this way:
String query = String.Formart("INSERT INTO dbo.PortfolioValues(StudentNumber,TimeStamp,PortfolioValue) VALUES(\"{0}\",\"{1}\",\"{2}\")",StudentNumber.ToString() , Time.ToString() , Total.ToString());
String connectionString = "your connection string";
CreateCommand(query,connectionString);