Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
1st: Is there any better way to do
sqlcommand object = new sqlcommand("insert into sometable values '" + textboxes.texts "'," + somelabelvalues.text + "')" , connectiondb); //true for update,delete and everything inwhich we want to feed input data into database.
This is not safe. Is there any better way to do this because this was taught in our C# class.
All suggestions are welcome!
Use a SqlParameter
SqlCommand cmd = new SqlCommand("Select * from sometable where value = #value");
cmd.Parameters.AddWithValue("#value", "value");
Cam Bruce is correct, use SqlParameter always. However, I would like to expound on that just a bit.
First of all, you asked if there is "a better way to do this", the answer is Yes - Use parameters. There is another answer however that was addressed in the original comments, there is a different way to do this using Entity Framework. I would say that it's only better in certain situations. If this is your only SQL query in the project, then good lord please do not use Entity Framework as the overhead would be unnecessary.
You can read up on Entity Framework on MSDN
You should also definitely read up on SQL Injection Attacks
Now on to your code. As Cam stated above, use SqlParameter. He did leave out a couple good practices though on properly handing your command and connection.
It is a good practice to wrap both your SqlCommand and SqlConnection in using statements so that when you are finished with the objects, they will be disposed of.
string mySqlCommandText = "INSERT INTO some_table VALUES (#Value1, #Value2, #Value3)";
//Wrap your connection/command in using blocks
using (var conn = new SqlConnection(mySqlConnectionString))
using (var cmd = new SqlCommand(mySqlCommandText, conn))
{
//Add your values to the parameters
//This is how you avoid the SQL Injection attack
cmd.Parameters.AddWithValue("#Value1", myValue1);
cmd.Parameters.AddWithValue("#Value2", myValue2);
cmd.Parameters.AddWithValue("#Value3", myValue3);
conn.Open();
cmd.ExecuteNonQuery();
} //The cmd and conn objects are disposed of here as they are now out of scope.
Yes this way is not safe because of SQLInjection vulnerability...
as Cam Bruce said, you can use command parameters to make it safe and secure...
SqlCommand cmd = new SqlCommand("Select * from sometable where value = #value");
cmd.Parameters.AddWithValue("#Value", "value");
cmd.ExecuteNonQuery();
just that!
Related
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 5 years ago.
Improve this question
Load the Store Procedure without using EF I Faced this Problem. I want to load the SP list type
Please see the sample below. Its also shows how to read the records from the StoredProcedure execution in your C# Code.
Also its a good practice initiating the SQLConnection and SQLCommand object in Using Block.
using (var conn = new SqlConnection(cnnString))
using (var cmd = conn.CreateCommand())
{
conn.Open();
cmd.CommandText = "SearchCustomer";
cmd.CommandType = System.Data.CommandType.StoredProcedure;
// Use below line if you want to pass any parameter values to SP.
// cmd.Parameters.AddWithValue("#id", CustomerId);
using (var reader = cmd.ExecuteReader())
{
while(reader.Read())
{
// Read Column based on Column Name. Below sample reads String column
Console.WriteLine(reader.GetString(reader.GetOrdinal("columnName"));
// Read Column based on Column Index. Below sample reads int column
Console.WriteLine(reader.GetInt32(1));
}
}
}
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 6 years ago.
Improve this question
I want to write a C# application to check the selected stored procedure for some criteria. For example if the stored procedure contains 5 select queries the same query must contais 5 with(nolock) (select for temp tables except).
How can I do this via C#? Thanks in advance.
You can use sys.objects to query SQL Server's metadata in order to analyze SP's definition like a text. In your case you can create query such a listed below and check its results from C# app:
SELECT object_definition(object_id) as [sp definition]
, schema_name(schema_id) [schema]
, name
, type_desc
FROM sys.objects
where object_definition(object_id) like '%select%select%select%'
and type_desc = 'SQL_STORED_PROCEDURE'
OR
SELECT object_definition(object_id) as [sp definition]
, schema_name(schema_id) [schema]
, name
, type_desc
FROM sys.objects
where object_definition(object_id) like '%NOLOCK%'
and type_desc = 'SQL_STORED_PROCEDURE'
Not sure what the question is.
You obviously need to parse the SQL (because NOLOCK can also be in a comment).
And to get the source of a stored procedure - well, use something like
using (SqlConnection sqlConnection = new SqlConnection())
{
sqlConnection.ConnectionString = yourConnectionStringHere;
sqlConnection.Open();
SqlCommand sqlCommand = new SqlCommand("sys.sp_helptext", sqlConnection);
sqlCommand.CommandType = CommandType.StoredProcedure;
sqlCommand.Parameters.AddWithValue("#objname", "stored_proc_name_here");
DataSet ds = new DataSet();
SqlDataAdapter sqlDataAdapter = new SqlDataAdapter();
sqlDataAdapter.SelectCommand = sqlCommand;
sqlDataAdapter.Fill(ds);
return DataTableToString(ds.Tables[0]);;
}
although I would never touch the sql server because I keep the source outside in version control, so a Visual Studio plug in would be the better solution.
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I am very new to this.So pardon me if I make any mistakes.
I am trying to read the Jira database.I just need to read it.
No write operations will be involved.
I am using C#.From what little I know, I think a connection has to be established with the Jira database using
SqlConnection conn=new SqlConnection(connectionstring);
And then I can read data using SqlReader.I have tried searching through the database and found few links like http://www.codeproject.com/Tips/762516/Connecting-to-Jira-using-Csharp
But I am not being able to understand.Can anyone help me out or direct me to few resources.
In the links that I searched through there are terms like "Rest API" etc. Do I need to know them ?
If you have access to the database, and want to read data that way, that's entirely possible using standard .NET objects, but you'll probably need to be decent at SQL to get the data out that you want.
Here's how you can (try to) access the database:
SqlDataReader rdr = null;
SqlConnection conn = new SqlConnection("YOUR_CONNECTION_STRING_HERE");
SqlCommand cmd = new SqlCommand("select * from whatever_jira_table", conn);
rdr = cmd.ExecuteReader();
//look up how to read from a reader
conn.Close();
conn.Dispose();
Another option is to use a Jira API which it looks like you can get from NuGet through Visual Studio. If you go this route, you need access to the Jira REST API, and it will expose a more friendly (different?) way to access data.
Either way, just go into Visual Studio, make a console app, and start adding code and stepping through with the debugger until thing start making sense.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I have two classes in which the teachers have merged their final projects into one, one class is software engineering and another one is data bases. The thing is that for SE i have to develop a desktop/smartphone app and for DB i have to develop every DB related stuff for that app.
But i have to keep both things separated, i mean i have to keep C# code away from SQL code so i can't do queries or any stuff using selection strings and such, i just have to call stored procedures with said queries from code.
Any idea how could i do that? To summarize i just want to call any code or procedure that i write in sql and store it's values in a variable,object or array.
As i said i cannot use:
string selectstr = "SELECT * FROM students;"
and execute that query, i have to write that in sql and call it from C# and store the values returned.
Stored procedures are called like any other SQL command in C#:
using (SqlCommand cmd = new SqlCommand("MyStoredProcedure", connection))
{
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("#myParameter1", value);
...
using (SqlDataReader reader = cmd.ExecuteReader())
{
...
}
}
The "magic" bit is to set the command type correctly ;-)
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
Is there a way to do a c# datarow like the below code in a SELECT * query
//Have results like blow
string username = (string)row["username"];
I've tried but all I seem to see is reader or something, witch I know nothing about and don't understand. Can you lead me to some code that will help or give me a example?
DataReader is actually exactly what you need. The 'DataRow' class by itself won't help you; that gets used as part of a more complex solution, the 'DataSet' class (which uses 'DataTable' and that in turn uses 'DataColumn' and 'DataRow'). I don't see many people using 'DataSet'; if you want something complex with drag-and-drop design, you should look at using Entity Framework.
Here is a standard way to read values from SQL in .NET via DataReader (which, no matter what anyone says, is the fastest way to simply read data from a SQL database in .NET):
using (var connection = new SqlConnection("<Your connection string here>")
{
var command = new SqlCommand(
"SELECT username, email FROM users;",
connection);
connection.Open();
var reader = command.ExecuteReader(); // Using the DataReader (specifically, the SqlDataReader)
if (reader.HasRows)
{
while (reader.Read())
{
Console.WriteLine("User {0} has email {1}", reader["username"],
reader["email"]);
}
}
else
{
Console.WriteLine("No rows found.");
}
reader.Close();
}
MSDN documentation for DataReader