Select Query Help
-
Hi all,
I need some help with a simple select query using MS SQL Server 2005. The problem I am having is due to the contents of the table, it can contain names which use punctuation marks such as:
S'Algar
Olhos D'Agua
Praia D'Oura
etc.etc
This is breaking my SQL Queries. I select the data usingDim command As New SqlCommand("Select * from Navigation where Keyword='" & Index & "'", connection)
and simply read the data returned by the query, into a dataset.
I'd be grateful for any help offeredKind Regards
-
Replace your code as follow:
Dim command As New SqlCommand("Select * from Navigation where Keyword='" & Index.Replace("'","''") & "'", connection)
It will work. -
Thanks,
I have also found that this isnt an issue when I get the data using a sotred proceedure. Do you have any idea why? -
The data is escaped when put into the stored procedure.
Basically, doing queries like this is a bad habit, SQL Injection attacks could allow me to (providing user access rights) change, delete and do pretty much what i want with the info. For example, I was showing a company that their website was vulnerable... with this command in the search textbox
"'); update products set price=price*0.5; --
i dropped all the products by 50%, placed an order and then using the same type of command, put the prices back -- no one could tell.
Get into the habit of always using parameterized queries, they are much, much safer...
http://www.uberasp.net/ArticlePrint.aspx?id=46
Amar.
DISCLAIMER: The actions mentioned above were carried out with permission from the company in question; i have never used such techniques for personal gain and do not condone such activity. The example above is to help new sql users to understand why we should write safe sql and get into good practices.
-
select * FROM authors where au_lname = 'O''Ringer'
Well that means you need to check you string before you can pass it to your query. The code above shows how yo query using the name O'Ringer.
Hope this can help
Post a reply
ASP.NET forum discussion
-
How to get Hotmail Contacts
by salihagenter (5 replies)
-
How to send fax using VB.net
by Jeffry Clyde (35 replies)
-
Difference between class and interface
by aladanh.go (47 replies)
-
How to Add Text in Footer of Gridview?
by arthurmarsh (5 replies)
-
Using FedEx Web Service to Calculcate Shipping Cost
by ravialen3782 (8 replies)
ASP.NET tutorials
- The Evolution of a Azure Web Application
- Protecting your ASP.NET Web API using OAuth2 and the Windows Azure Access Control Service
- Using HTML5 History in an ASP.NET MVC Site
- An Introduction to testing with the Model-View-Presenter pattern for Web Forms Development
- Improving Web Site Performance and Scalability while saving money
Quick links
Recent activity
- arif ahmad replied to How to receive data in web ...
- William Thompson replied to What is the name of the Win...
- Sameera Piyadigamage replied to Point of Sale Developers: H...
- Scott Carline replied to 4 x C# Developers for large...
- Rajendra Dhakal replied to Restore SQL Server text dat...
- cloud rainda replied to How to convert between TS f...
Enter your message below
Sign in or Join us (it's free).