Re: Is this the most efficient/fastest code to use? (beginner sql question)

Tech-Archive recommends: Fix windows errors by optimizing your registry


I've done some small amount of reading about injection attacks and have the general idea. Could you help out someone new and give me
a bit more detail about what the vulnerability here is and a bit more detail about how to address it? If you're speaking about the
fact that there are text boxes, yes, I'm aware of that problem and will incorporate validation into the application. In the
meantime, I'll attempt to read up as much as I can about SqlParameter and SqlCommand.

Thanks for whatever you have time to offer...

Jeff



"GhostInAK" <ghostinak@xxxxxxxxx> wrote in message news:be1391bf193aa8c8ab860f879830@xxxxxxxxxxxxxxxxxxxxx
Hello Jeff,

All together now, smile and say, "SQL INJECTION ATTACK!" *click*.

Become intimately familliar with SqlParameter and SqlCommand.

-Boo

...another beginnger question.

I have a web application in .net v2 VB that requires multiple reads
from sql tables where

each read is slightly different - so the sql select statements also
differ frequently. I've created a

few functions in an .ascx file to handle these reads and send them
back to the main code.

2 examples are below. Each works - the first returns a single integer
value, the second returns the entire row

that contains a mix of integers, boolean, and strings. Other similiar
functions I've written write data using slightly

different versions for writing strings or integers.

Because I'm using these or similar functions frequently in the
application, I'm wondering whether this is the best way to accomplish

these tasks or whether there is a faster, more efficient method to do
what I'm doing. Comments?

Thanks in advance
Jeff
Function GetIntAnswer(ByVal CurrQuestion As String) As Integer
Dim TableP As System.Data.DataView
Dim sb As New StringBuilder("select ")
sb.Append(CurrQuestion)
sb.Append(" from Answers where ID = ")
sb.Append(Session("ID"))
SqlAnswers.SelectCommand = sb.ToString
TableP = SqlAnswers.Select(DataSourceSelectArguments.Empty)
Return TableP.Item(0)(0)
End Function
Function GetInfo() As System.Data.DataView
Dim sb As New StringBuilder("select * from Questions where
QuestionNu = ")
sb.Append(Session("QuestionPointer"))
SqlQuestions.SelectCommand = sb.ToString
Return SqlQuestions.Select(DataSourceSelectArguments.Empty)
End Function





--
Posted via a free Usenet account from http://www.teranews.com

.

Relevant Pages

  • Re: Performance Problem with Stored Procedure calls to Sql Server
    ... Look at this in SQL profiler. ... The strings contain XML. ... > Dim oRs As ADODB.Recordset ...
    (microsoft.public.data.oledb)
  • Re: Is this the most efficient/fastest code to use? (beginner sql question)
    ... each read is slightly different - so the sql select statements also ... that contains a mix of integers, boolean, and strings. ... Dim TableP As System.Data.DataView ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Form variable in query
    ... Access expects literal date strings to be in one of two formats. ... Dim var1 As Date ... The following SQL returns 26 records ...
    (microsoft.public.access.queries)
  • Is this the most efficient/fastest code to use? (beginner sql question)
    ... I have a web application in .net v2 VB that requires multiple reads from sql tables where ... each read is slightly different - so the sql select statements also differ frequently. ... that contains a mix of integers, boolean, and strings. ... Dim TableP As System.Data.DataView ...
    (microsoft.public.dotnet.languages.vb)
  • Re: Which identity?
    ... > Some postings I read suggested using MAXto retrieve the inserted record ... > each of these 3 SQL features? ... Another way to do it if using the .AddNew method on a Jet based ADO ... Dim rsTest As ADODB.Recordset ...
    (microsoft.public.access.queries)