Re: sql Statement Date object

---

• From: "Marina" <someone@xxxxxxxxxx>
• Date: Wed, 27 Jul 2005 16:17:25 -0400

---

No, he is saying you should use a parameterized query.

"bbdobuddy" <bbdobuddy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:325156EA-7631-43E3-B70C-1B59ED91CB5E@xxxxxxxxxxxxxxxx
> so what your saying is that for every table column I need to update I
> should
> do them individually.
>
> "Brock Allen" wrote:
>
>> You shouldn't be concatenating your sql strings -- your code will be
>> vulnreable
>> to a sql injection attack which is a very serious security hole. Instead
>> use parameterized queries:
>>
>> SqlCommand cmd;
>> cmd.CommandText = "update authors set au_fname = @fname where au_id =
>> @ID";
>> cmd.Parameters.Add("@fname", "Brock");
>> cmd.Parameters.Add("@ID", "444-55-6666");
>>
>> and so on....
>>
>> For your datetime column, you might have better luck by passing a
>> DateTime
>> as the 2nd parameter to Add().
>>
>> -Brock
>> DevelopMentor
>> http://staff.develop.com/ballen
>>
>>
>>
>> > Hi,
>> >
>> > I have an ASP.net application with a connection to a sql database. I
>> > am writing a SQL statement to update some fields in a table but it
>> > won't run because it gives me an error that says
>> >
>> > Error near #
>> >
>> > How do I fix this problem the Code is below
>> >
>> > "UPDATE DefendantInformation SET [First Name] = '" & txtDefFName.Text
>> > & "'" _
>> > & ", [Last Name] = '" & txtDefLName.Text & "', [Address] =
>> > '" &
>> > txtDefAddress.Text & "'" _
>> > & ", [City] = '" & txtDefCity.Text & "', [DOB] = #" &
>> > txtDefDOB.Text & "#" _
>> > & "WHERE ID = " & valueSelected
>> > Regards Brian
>> >
>>
>>
>>
>>


.

---

• References:
  • sql Statement Date object
    • From: bbdobuddy
  • Re: sql Statement Date object
    • From: Brock Allen
  • Re: sql Statement Date object
    • From: bbdobuddy

• Prev by Date: DataGrid is there a way to make a column as wide as the longest text?
• Next by Date: Re: How do you measure the size of a page delivered to the browser (and the Viewstate)
• Previous by thread: Re: sql Statement Date object
• Next by thread: Re: sql Statement Date object
• Index(es):
  • Date
  • Thread

---

Relevant Pages RE: how to reference bind variable value in code file ... public string month_itoa{ ... Add a datetime column to events called. ... Then modify your sql to: ... guess there may be a way to get that value within code file without ... (microsoft.public.dotnet.framework.aspnet) Re: SQL Runs in Access and not in ASP: 0x80040E10 Too few parameters ... Your expression is saying the equivalent of ... > These elements of my SQL string will come from variables in the ... Do you get the results you intend to get? ... Please reply to the newsgroup. ... (microsoft.public.inetserver.asp.db) Re: Newbie. Reports & SQL. ... Yes basically what I was saying was that. ... zero out the consultant total. ... That involves writing SQL to produce a SUM value for each ... (comp.lang.pascal.delphi.misc) Re: Im having trouble with SQL ... > ENoResultSet saying that the BDE can't find the cursor handle. ... > SELECT statement to the SQL command, ... I remember seeing some SQL command in the InterBase SQL ... In the BDE ... (comp.lang.pascal.delphi.misc) Re: Sql adapter not handling null value in updategram ... >I am using BizTalk 2004 against Sql Server 2000. ... The Request consists of an updategram that ... >try to set the datetime column to a null value. ... In BizTalk 2002, I would just omit the element that is to be null. ... (microsoft.public.biztalk.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)