Re: sql Statement Date object

From: Brock Allen <ballen@xxxxxxxxxxxxxxxxx>
Date: Wed, 27 Jul 2005 12:10:09 -0700

You shouldn't be concatenating your sql strings -- your code will be vulnreable to a sql injection attack which is a very serious security hole. Instead use parameterized queries:

SqlCommand cmd;
cmd.CommandText = "update authors set au_fname = @fname where au_id = @ID";
cmd.Parameters.Add("@fname", "Brock");
cmd.Parameters.Add("@ID", "444-55-6666");

and so on....

For your datetime column, you might have better luck by passing a DateTime as the 2nd parameter to Add().

-Brock
DevelopMentor
http://staff.develop.com/ballen

Hi,

I have an ASP.net application with a connection to a sql database.  I
am writing a SQL statement to update some fields in a table but it
won't run because it gives me an error that says

Error near #

How do I fix this problem the Code is below

"UPDATE DefendantInformation SET [First Name] = '" & txtDefFName.Text
& "'" _
& ", [Last Name] = '" & txtDefLName.Text & "', [Address] =
'" &
txtDefAddress.Text & "'" _
& ", [City] = '" & txtDefCity.Text & "', [DOB] = #" &
txtDefDOB.Text & "#" _
& "WHERE ID = " & valueSelected
Regards Brian

Follow-Ups:
- Re: sql Statement Date object
  - From: bbdobuddy

References:
- sql Statement Date object
  - From: bbdobuddy

Prev by Date: RE: iterate through set of controls in code behind on postback
Next by Date: Re: Multiple Subdirectories with different login pages
Previous by thread: sql Statement Date object
Next by thread: Re: sql Statement Date object
Index(es):
- Date
- Thread

Relevant Pages

RE: how to reference bind variable value in code file
... public string month_itoa{ ... Add a datetime column to events called. ... Then modify your sql to: ... guess there may be a way to get that value within code file without ...
(microsoft.public.dotnet.framework.aspnet)
Re: Sql adapter not handling null value in updategram
... >I am using BizTalk 2004 against Sql Server 2000. ... The Request consists of an updategram that ... >try to set the datetime column to a null value. ... In BizTalk 2002, I would just omit the element that is to be null. ...
(microsoft.public.biztalk.general)
Re: sql Statement Date object
... > You shouldn't be concatenating your sql strings -- your code will be vulnreable ... > to a sql injection attack which is a very serious security hole. ... > use parameterized queries: ... > For your datetime column, you might have better luck by passing a DateTime ...
(microsoft.public.dotnet.framework.aspnet)
Sql adapter not handling null value in updategram
... I am using BizTalk 2004 against Sql Server 2000. ... The updategram works correctly if I do not attempt to set a null value for a ... try to set the datetime column to a null value. ... This sql exception only happens if I use the Sql adapter. ...
(microsoft.public.biztalk.general)
Re: sql Statement Date object
... he is saying you should use a parameterized query. ... >> For your datetime column, you might have better luck by passing a ... >>> I have an ASP.net application with a connection to a sql database. ...
(microsoft.public.dotnet.framework.aspnet)