select Query with AND Condition - asp.net

I want to select user but i cant get it .
Here's my query
SqlCommand myCommand = new SqlCommand("Select * from Users where Email=" + UserEmailPass.Email + "And Password=" + UserEmailPass.Password, conn);
SqlDataReader Detailsreader = myCommand.ExecuteReader();
Is my query correct or not>? please help

If Email and Password are string fields then you need to encapsulate the values used for comparison in single quotes, but the correct way is to use a parameterized query
SqlCommand myCommand = new SqlCommand("Select * from Users " +
"where Email=#mail And Password=#pwd" conn);
myCommand.Parameters.AddWithValue("#mail",UserEmailPass.Email);
myCommand.Parameters.AddWithValue("#pwd",UserEmailPass.Password);
SqlDataReader Detailsreader = myCommand.ExecuteReader();
If you use a parameterized query you avoid the SQL Injection problem and you don't have to worry to encapsulate your string values with quotes, doubling them if your values contain themselves a quote, not to mention the appropriate decimal separator for numerics and the correct formatting of dates.
An often overlooked benefit of parameterized query is the now clear and perfectly understandable text of your query. As pointed out by Mr Tim Schmelter below, your query has a syntax error missing a space between AND and the previous value in the WHERE clause. This kind of errors are more difficult to do if you write a parameterized query.
Give me parameterized query or give me death

SqlCommand myCommand = new SqlCommand("Select * from Users where Email=#mail and Password#pass" , conn);
System.Data.SqlClient.SqlParameter par = new System.Data.SqlClient.SqlParameter("#mail", UserEmailPass.Email );
System.Data.SqlClient.SqlParameter par1 = new System.Data.SqlClient.SqlParameter("#pass", UserEmailPass.Password);
myCommand.Parameters.Add(par);
myCommand.Parameters.Add(par1);
SqlDataReader Detailsreader = myCommand.ExecuteReader();
DO NOT USE string concat!!!!

Related

Return Identity Value From Table After Inserting Row

I am trying to store the value of an identity value from table after inserting it into a row.
I want to store the value in currentID so I can store the value in another table which could be added more than once.
Any help or advice would be great!
Dim currentID As Integer
Dim cmd As New System.Data.SqlClient.SqlCommand
cmd.CommandType = System.Data.CommandType.Text
cmd.CommandText = "INSERT INTO table (Databasevalue) VALUES ('" + formvalue + "');"
cmd.Connection = sqlconninsertDB
sqlconninsertDB.Open()
cmd.ExecuteNonQuery()
**currentID = [get and store value]**
sqlconninsertDB.Close()
You can try adding this SELECT to your command:
cmd.CommandText = "INSERT INTO table (Databasevalue) VALUES ('" + formvalue + "'); SELECT SCOPE_IDENTITY()"
And execute query like this:
Dim currentID as Integer = cmd.ExecuteScalar()
Instead of .ExecuteNonQuery()
Side note: Try not to use string concatenations when constructing inline-commands. Rather look into parametrized queries.
With Sql Server you could pass two sql commands separating them with a semicolon.
The second command is a SELECT SCOPE_IDENTITY() and this returns the last ID inserted in this scope.
You could execute both commands and retrieve the result with ExecuteScalar
Please, take note to use a parameterized query instead of a string concatenation to avoid Sql Injection attacks and parsing problems.
Dim currentID As Integer
Dim cmd As New System.Data.SqlClient.SqlCommand
cmd.CommandType = System.Data.CommandType.Text
cmd.CommandText = "INSERT INTO table (Databasevalue) VALUES (#formval); " +
"SELECT SCOPE_IDENTITY()"
cmd.Connection = sqlconninsertDB
cmd.Parameters.AddWithValue("#formval", formValue)
sqlconninsertDB.Open()
currentid = cmd.ExecuteScalar()
sqlconninsertDB.Close()

What is wrong with the following query?

I have a table containing name, surname and email. I want to retrieve them from the table and so i write:
if (LoginAs.SelectedValue == "Administrator")
{
string result;
string query = "Select * from AdminTable where ID='"+ idBox.Text +"'";
cmd1 = new SqlCommand(query, con);
result = Convert.ToString(cmd1.ExecuteScalar());
Response.Redirect("Admin.aspx");
//Admin user = new Admin(idBox.Text, "Active", mail, firstName, LastName, passwordBox.Text);
}
The problem is, it only returns the name field of the specified row even though i wrote "Select *". What is wrong here?
ExecuteScalar returns just the first column of the first row, and ignores the rest.
So you should use ExecuteReader method. An example from MSDN:
using (SqlConnection connection = new SqlConnection(
connectionString))
{
connection.Open();
SqlCommand command = new SqlCommand(queryString, connection);
SqlDataReader reader = command.ExecuteReader();
while (reader.Read())
{
Console.WriteLine(String.Format("{0}", reader[0]));
}
}
Note that the while (reader.Read()) checks whether your query returned (more) results and positions the cursor on the next record, that you can then read. This example prints the first column's value.
The using statement makes sure the connection is closed after use, whatever happens.
Also, don't build your query directly with input from the user (such as the value of a TextBox), use parameters instead to prevent SQL injection attacks.
You must try ExecuteReader() instead of using ExecuteScalar()
ExecuteScaler is used in situation where we have to read a single value.eg:
select count(*) from tablename.
while
ExecuteReader is used for any result set with multiple rows/columns
(e.g., SELECT * from TableName)
Sample code:
string myQuery="Select * from AdminTable where ID=#myid";
SqlCommand cmd=new SqlCommand(myQuery,conn);
cmd.Parameters.AddWithValue("#myid", value);
conn.Open();
SqlDataReader dreader;
dreader = cmd.ExecuteReader(CommandBehavior.CloseConnection);
while (dreader.Read())
{
string Value1= dreader["COl1"].ToString();
string Value2= dreader["COl2"].ToString();
}
dreader.Close();
Always use parameterized Query
You may try cmd1.ExecuteReader() instead.

asp.net insert data into DB

con.Open();
cmd2 = new SqlCommand("insert into dailyWorkout('"+RadioButton1.Text+"', '"+RadioButton2.Text+"', '"+RadioButton3.Text+"', '"+RadioButton4.Text+"', '"+RadioButton5.Text+"', '"+Label1.Text+"')", con);
cmd2.ExecuteNonQuery();
Hey guys, been working on this website for a while, but I get an error when putting data into the database saying
Incorrect syntax near ')'.
With other stuff that I'm putting same way it works and this does not.
You should really really REALLY use parametrized queries to avoid SQL injection (and to boost performance; and avoid issues with type conversions etc.)
So I would recommend using code something like this:
// define your *parametrized* SQL statement
string insertStmt = "INSERT INTO dbo.YourTable(Col1, Col2, Col3) VALUES(#Val1, #Val2, #Val3);";
// put SqlConnection and SqlCommand into "using" blocks to ensure proper disposal
using(SqlConnection conn = new SqlConnection("-your-connection-string-here-"))
using(SqlCommand cmd = new SqlCommand(insertStmt, conn))
{
// set the parameters to the values you need
cmd.Parameters.AddWithValue("#Val1", "Some String here");
cmd.Parameters.AddWithValue("#Val2", 42);
cmd.Parameters.AddWithValue("#Val3", DateTime.Today.AddDays(-7));
// open connection, execute query, close connection right away
conn.Open();
int rowsAffected = cmd.ExecuteNonQuery();
conn.Close();
}
Points to remember:
ALWAYS use parametrized queries - do NOT concatenate together your SQL statements!
put the SqlConnection and SqlCommand into using(...) { ... } blocks to ensure proper disposal
always explicitly define the list of columns you want to use in a SELECT and also an INSERT statement
open connection as late as possible, execute query, close connection again right away
That will do the job but I strongly advice using Parameters.
con.Open();
cmd2 = new SqlCommand("insert into dailyWorkout values ('"+RadioButton1.Text+"', '"+RadioButton2.Text+"', '"+RadioButton3.Text+"', '"+RadioButton4.Text+"', '"+RadioButton5.Text+"', '"+Label1.Text+"')", con);
cmd2.ExecuteNonQuery();
Instead of the code above you'd better to use
cmd2 = new SqlCommand("insert into dailyWorkout values (#val1, #val2, #val3,#val4,#val5,#val6)", con);
cmd2.Parameters.AddWithValue("#val1",RadioButton1.Text);
cmd2.Parameters.AddWithValue("#val2",RadioButton2.Text);
cmd2.Parameters.AddWithValue("#val3",RadioButton3.Text);
cmd2.Parameters.AddWithValue("#val4",RadioButton4.Text);
cmd2.Parameters.AddWithValue("#val5",RadioButton5.Text);
cmd2.Parameters.AddWithValue("#val6",Label1.Text)
cmd2.ExecuteNonQuery();
Ok its already been mentioned, don't inject parameters like that.
But if you must, the problem is that your final sql string looks like:
insert into dailyWorkout('string1', 'string2', 'string3', 'string4', 'string5', 'string6')
when it should be
insert into dailyWorkout(columnName1,columnName2,columnName3,columnName4,columnName5,columnName6)
values('string1', 'string2', 'string3', 'string4', 'string5', 'string6')
But you should really consider:
var sqlCmd = new SqlCommand("insert into dailyWorkout(columnName1,columnName2,columnName3,columnName4,columnName5,columnName6) values(#v1, #v2, #v3, #v4, #v5, #v6)", default(SqlConnection));
sqlCmd.Parameters.Add("#v1", SqlDbType.NVarChar).Value = RadioButton1.Text;
sqlCmd.Parameters.Add("#v2", SqlDbType.NVarChar).Value = RadioButton2.Text;
sqlCmd.Parameters.Add("#v3", SqlDbType.NVarChar).Value = RadioButton3.Text;
sqlCmd.Parameters.Add("#v4", SqlDbType.NVarChar).Value = RadioButton4.Text;
sqlCmd.Parameters.Add("#v5", SqlDbType.NVarChar).Value = RadioButton5.Text;
sqlCmd.Parameters.Add("#v6", SqlDbType.NVarChar).Value = Label1.Text;
sqlCmd.ExecuteNonQuery();

Compare value of a string to Database value

I have to compare a value in a string array to that of a particular column in a database. How do i do this ?
public void setvisibility(string user_ID)
{
SqlDataReader reader = null;
SqlConnection connection = new SqlConnection(WebConfigurationManager.ConnectionStrings["ctd_prrity_dbConnectionSting"].ConnectionString);
connection.Open();\
SqlCommand cmd = new SqlCommand("Select * from Admins );
I need to compare the value of user_ID to the only column in the Admins table !
Here's how you can do it:
using( SqlConnection connection = new SqlConnection(WebConfigurationManager.ConnectionStrings["ctd_prrity_dbConnectionSting"].ConnectionString))
{
connection.Open();
SqlCommand cmd = new SqlCommand("Select 1 from Admins where User_ID=#userid",connection );
cmd.Parameters.AddWithValue("#userid",user_ID);
SqlDataReader reader= cmd.ExecuteReader();
if(reader.HasRows)
{
//user id found
}
}
This method uses a parametrized queries, which are safer than the option given in the answer by Tony since his is prone to SQL Injection attacks.
BTW: you mention "string array" in your question, yet your code only shows a single string as parameter. What did you mean by that?
sqlcommand("SELECT * FROM Admins WHERE column = " & user_ID );
That should work. What that does is it returns the value in the column if it is the same as the user_ID. Basically, if your query returns a value you have a match, if not then you don't.

Preventing SQL Injection in ASP.Net

I have this code
UPDATE OPENQUERY (db,'SELECT * FROM table WHERE ref = ''"+ Ref +"'' AND bookno = ''"+ Session("number") +"'' ')
How would I prevent SQL Injections on this?
UPDATE
Here's what i'm trying
SqlCommand cmd = new SqlCommand("Select * from Table where ref=#ref", con);
cmd.Parameters.AddWithValue("#ref", 34);
For some reason everything I try and add it doesn't seem to work I keep getting SQL Command mentioned below.
The error is this
'SqlCommand' is a type and cannot be used as an expression
I'm taking over someone else's work so this is all new to me and I would like do things the right way so if anyone can provide any more help on how to make my query above safe from SQL injections then please do.
UPDATE NO 2
I added in the code as VasilP said like this
Dim dbQuery As [String] = "SELECT * FROM table WHERE ref = '" & Tools.SQLSafeString(Ref) & "' AND bookno = '" & Tools.SQLSafeString(Session("number")) & "'"
But I get an error Tools is not declared do I need to specify a certain namespace for it to work?
UPDATE
Has anyone got any ideas on the best of getting my query safe from SQL injection without the errors that i'm experiencing?
UPDATE
I now have it so it work without the parameters bit here's my updated source code any idea why it won't add the parameter value?
Dim conn As SqlConnection = New SqlConnection("server='server1'; user id='w'; password='w'; database='w'; pooling='false'")
conn.Open()
Dim query As New SqlCommand("Select * from openquery (db, 'Select * from table where investor = #investor ') ", conn)
query.Parameters.AddWithValue("#investor", 69836)
dgBookings.DataSource = query.ExecuteReader
dgBookings.DataBind()
It works like this
Dim conn As SqlConnection = New SqlConnection("server='server1'; user id='w'; password='w'; database='w'; pooling='false'")
conn.Open()
Dim query As New SqlCommand("Select * from openquery (db, 'Select * from table where investor = 69836') ", conn)
dgBookings.DataSource = query.ExecuteReader
dgBookings.DataBind()
The error i'm getting is this
An error occurred while preparing a query for execution against OLE DB provider 'MSDASQL'.
And it's because it isn't replacing the #investor with the 69836
Any ideas?
SOLUTION
Here is how I solved my problem
Dim conn As SqlConnection = New SqlConnection("server='h'; user id='w'; password='w'; database='w'; pooling='false'")
conn.Open()
Dim query As New SqlCommand("DECLARE #investor varchar(10), #sql varchar(1000) Select #investor = 69836 select #sql = 'SELECT * FROM OPENQUERY(db,''SELECT * FROM table WHERE investor = ''''' + #investor + ''''''')' EXEC(#sql)", conn)
dgBookings.DataSource = query.ExecuteReader
dgBookings.DataBind()
Now I can write queries without the worry of SQL injection
Try using a parameterized query here is a link http://www.aspnet101.com/2007/03/parameterized-queries-in-asp-net/
Also, do not use OpenQuery... use the this to run the select
SELECT * FROM db...table WHERE ref = #ref AND bookno = #bookno
More articles describing some of your options:
http://support.microsoft.com/kb/314520
What is the T-SQL syntax to connect to another SQL Server?
Edited
Note: Your original question was asking about distributed queries and Linked servers. This new statement does not reference a distributed query. I can only assume you are directly connecting to the database now. Here is an example that should work.
Here is another reference site for using SqlCommand.Parameters
SqlCommand cmd = new SqlCommand("Select * from Table where ref=#ref", con);
cmd.Parameters.Add("#ref", SqlDbType.Int);
cmd.Parameters["#ref"] = 34;
Edited:
Ok Jamie taylor I will try to answer your question again.
You are using OpenQuery becuase you are probably using a linked DB
Basically the problem is the OpenQuery Method takes a string you cannot pass a variable as part of the string you sent to OpenQuery.
You can format your query like this instead. The notation follows servername.databasename.schemaname.tablename. If you are using a linked server via odbc then omit databasename and schemaname, as illustrated below
Dim conn As SqlConnection = New SqlConnection("your SQL Connection String")
Dim cmd As SqlCommand = conn.CreateCommand()
cmd.CommandText = "Select * db...table where investor = #investor"
Dim parameter As SqlParameter = cmd.CreateParameter()
parameter.DbType = SqlDbType.Int
parameter.ParameterName = "#investor"
parameter.Direction = ParameterDirection.Input
parameter.Value = 34
Use parameters instead of concatenating your SQL query.
Assuming your database engine being SQL Server, here's a piece of code which I hope will help.
Using connection As SqlConnection = new SqlConnection("connectionString")
connection.Open()
Using command As SqlCommand = connection.CreateCommand()
string sqlStatement = "select * from table where ref = #ref and bookno = #bookno";
command.CommandText = sqlStatement
command.CommandType = CommandType.Text
Dim refParam As SqlDataParameter = command.CreateParameter()
refParam.Direction = ParameterDirection.Input
refParam.Name = "#ref"
refParam.Value = Ref
Dim booknoParam As SqlDataParameter = command.CreateParameter()
booknoParam.Direction = ParameterDirection.Input
booknoParam.Name = "#bookno"
booknoParam.Value = Session("number")
Try
Dim reader As SqlDataReader = command.ExecuteQuery()
' Do your reading job here...'
Finally
command.Dispose()
connection.Dispose()
End Try
End Using
End Using
To sum it all up, avoid SQL statement concatenation at all cost, and use parameterized quesries!
Here is an interesting link that brings you through SQL injection problem resolution on MSDN:
How To: Protect From SQL Injection in ASP.NET
use sqlparameters like:
SqlCommand cmd = new SqlCommand("Select * from Table where id=#id", con);
cmd.Parameters.AddWithValue("#id", 34);
you can use parameterized queries.
http://www.functionx.com/aspnet/sqlserver/parameterized.htm
SqlCommand cmd = new SqlCommand("Select * from Table where ref=#ref", con);
cmd.Parameters.AddWithValue("#ref", 34);
it does not work because it is written in C#, not VB.
Try something like
Dim cmd As New SqlCommand("Select * from Table where ref=#ref", con)
cmd.Parameters.AddWithValue("ref", 34)
My preferred way is to let Visual Studio handle it all by creating a DAL:
http://www.asp.net/data-access/tutorials/creating-a-data-access-layer-cs
Use LINQ. It parametrizes queries automatically.
Check out ORM as an alternative (very good way to go if you are building something medium-sized or big). It takes a little time to configure it, but then development becomes VERY fast. You choose from the native, Linq to SQL or Entity Framework, OR, try any other ORM which works with .NET.

Resources