Re: Update SQL Problem - Easy and driving me nuts

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: "bill" <someone@xxxxxxxxxxxxx>
Date: Wed, 22 Aug 2007 10:20:32 -0400

After you get it to work that way try changing your URL to

ID=';DROP+TABLE+dbo.Properties

and see what happens.

In other words, you should be passing your parameters to SQL server as
parameter objects and not building dynamic SQL from the querystring.

"Ryan Smith" <RyanSmith@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AD6983A2-E84E-45DC-AC9D-F51CEE33F427@xxxxxxxxxxxxxxxx

I need to update a SQL 2005 database on a Button click. Below is the
necessary info. When the button is clicked the UpdateData sub is called.
The code executes with no errors but the data is not updated. If i print
the
querystring and execute on the server the data updates but not through
this
sub. Any ideas?

SQL Statement:
UPDATE dbo.Properties SET PNAME='test',ADDRESS='213 test',CITY='city
test',STATE='FL' WHERE ID LIKE 'b5ac4d0b-08e8-4026-a070-71a17c978417'

Code Block:
Private Sub UpdateData()
' Make a connString via Configuration Manager
Dim connString As String = "Data Source=tcp:*******;Initial
Catalog=***********;User ID=*********;Password=********;"

' Make a SQL Connection and use the conn string variable as
parameter
Dim connDatabase As SqlConnection = New SqlConnection(connString)

' Make a query string. This could be either a select command or a
stored proc

Dim Update As String = "PNAME='" & PrepText(PNAME.Text) & "',"
Update = Update & "ADDRESS='" & PrepText(ADDRESS.Text.ToString) &
"',"
Update = Update & "CITY='" & PrepText(CITY.Text.ToString) & "',"
Update = Update & "STATE='" & PrepText(STATE.Text.ToString) & "'"

Dim queryString As String = "UPDATE dbo.Properties SET " & Update &
" WHERE ID LIKE '" & Request.QueryString("ID").ToString & "'"

Response.Write(queryString)
' Make a SQL Command and use the query string to init it
Dim comSQL As SqlCommand = New SqlCommand(queryString,
connDatabase)

' Add parameters

' Open Execute and close (Also we should use a try catch on this
whole friggin block
connDatabase.Open()
comSQL.ExecuteScalar()
connDatabase.Close()
End Sub

Prev by Date: RE: Trying to get reference from the GAC
Next by Date: Why Visual Studio 2005 don't set a default namespace?
Previous by thread: Re: Update SQL Problem - Easy and driving me nuts
Next by thread: Datagridview Masked Cell Dateformat not working
Index(es):
- Date
- Thread