Sunday, February 26, 2012

error message....

hi

I have the followin code but it isnot working giving the following error message

String or binary data would be truncated.
The statement has been terminated.

string sqlStrInsert = "insert into tbl_izinTalep (b_date, e_date, info, cc, comment) values('" + dateTimePicker1.Value.ToString() + "' , '" + dateTimePicker2.Value.ToString() + "','" + textBox2.Text + "', '" + textBox3.Text + "', '" + textBox4.Text + "')";

SqlCommand command = new SqlCommand(sqlStrInsert, conn);

command.ExecuteNonQuery();

thanks

if this forum is out of my topic, please write the related forum's name

You really, really, really should not do that becasue this leaves a security hole for SQL injection, imagine you user input (which should be treaten as suspious), enter in the textbox2 the following text:

'',NULL'); DROP DATABASE model; --

THis would cause the model database to be dropped, I am sure you don′t want to do this. :-) Always use parametrized queries for the access, that can′t be comnposed as easy as in the sample code of yours.

HTH, Jens Suessmeyer.

http://www.sqlserver2005.de|||

but I dont understand the security hole reason, how I overcome it please explain with a sample

thank you

|||

hi,

Jens already provide the example..

you "load" a dynamic SQL statement into tbl_izinTalep table that must be evenutally executed...

if your loaded statement has been "tampered" with malicious code, like Jens said, you will be very sad

your code is

string sqlStrInsert = "insert into tbl_izinTalep (b_date, e_date, info, cc, comment) values('" + dateTimePicker1.Value.ToString() + "' , '" + dateTimePicker2.Value.ToString() + "','" + textBox2.Text + "', '" + textBox3.Text + "', '" + textBox4.Text + "')";

but if someone adds "; DROP DATABASE model" to your statement, it will be executed as well..

have a look at http://www.sommarskog.se/dynamic_sql.html for futher info about dynamic SQL..

regards

No comments:

Post a Comment