hi
I have the followin code but it isnot working giving the following error message
String or binary data would be truncated.
The statement has been terminated.
string sqlStrInsert = "insert into tbl_izinTalep (b_date, e_date, info, cc, comment) values('" + dateTimePicker1.Value.ToString() + "' , '" + dateTimePicker2.Value.ToString() + "','" + textBox2.Text + "', '" + textBox3.Text + "', '" + textBox4.Text + "')";
SqlCommand command = new SqlCommand(sqlStrInsert, conn);
command.ExecuteNonQuery();
thanks
if this forum is out of my topic, please write the related forum's name
You really, really, really should not do that becasue this leaves a security hole for SQL injection, imagine you user input (which should be treaten as suspious), enter in the textbox2 the following text:'',NULL'); DROP DATABASE model; --
THis would cause the model database to be dropped, I am sure you don′t want to do this. :-) Always use parametrized queries for the access, that can′t be comnposed as easy as in the sample code of yours.
HTH, Jens Suessmeyer.
http://www.sqlserver2005.de|||
but I dont understand the security hole reason, how I overcome it please explain with a sample
thank you
|||hi,
Jens already provide the example..
you "load" a dynamic SQL statement into tbl_izinTalep table that must be evenutally executed...
if your loaded statement has been "tampered" with malicious code, like Jens said, you will be very sad
your code is
string sqlStrInsert = "insert into tbl_izinTalep (b_date, e_date, info, cc, comment) values('" + dateTimePicker1.Value.ToString() + "' , '" + dateTimePicker2.Value.ToString() + "','" + textBox2.Text + "', '" + textBox3.Text + "', '" + textBox4.Text + "')";
but if someone adds "; DROP DATABASE model" to your statement, it will be executed as well..
have a look at http://www.sommarskog.se/dynamic_sql.html for futher info about dynamic SQL..
regards
No comments:
Post a Comment