|
|
 |
| C# 2005 For discussion of Visual C# 2005. |
Welcome to the p2p.wrox.com Forums.
You are currently viewing the C# 2005 section of the Wrox p2p Programmer to Programmer discussion community. This is a community of more than 40,000 computer programmers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining our free Wrox p2p community you can post your own programming questions and respond to other programmers’ questions. Registered users also don't have to see the ads that are displayed to guests. Registration is fast, simple and absolutely free so please, join today!
Join today and post to win prizes! Post more to increase your chances of being Wrox’s top poster of the month.
|
 |
October 18th, 2009, 03:39 PM
|
|
Authorized User
|
|
Join Date: Jul 2009
Posts: 13
Thanks: 0
Thanked 1 Time in 1 Post
|
|
SQL-Injection and multiple parameters when iterating a ListBox for example
Hello everybody,
I deceided to use SQL-Injection as I heard of the security issues that arise.
My problem is that I want to select multiple items of an ListBox and use those as paramaters in a SQL INSERT statement. The thing is, that you can use a paramameter-name only one time in a select statement. I tricked the thing creating a 'new' command object everytime I retrieve another item of the ListBox.
This is not the finest method, I guess. Does anybody know how to solve this issue?
My code looks like this:
...
currentMessageId = ....
int id = 0;
for ( i = 0; i< listBoxUsers.SelectedItems.Count; i+)
{
sqlStr = "";
row = ((DataRowView)this.listBoxUsers.SelectedItems[i]).Row;
id = Convert.ToInt16(row[listBoxUsers.ValueMember]);
sqlStr = "INSERT INTO user_messages (M_Id, User_Id) VALUES (@messageId, @userId)";
command = new SqlCommand (sqlStr, sqlConnectionString);
command.Parameters.AddWithValue("messageId", currentMessageId);
command.Parameters.AddWithValue("userId", id);
command.CommandText = sqlStr;
command.ExecuteNonQuery();
}
is there a way to do an successful insert to the n:m related table without creating a new instance of the command class every time?
Best regards
|
October 19th, 2009, 05:43 AM
|
 |
Friend of Wrox
|
|
Join Date: Aug 2007
Location: Newcastle, , United Kingdom.
Posts: 1,359
Thanks: 0
Thanked 31 Times in 31 Posts
|
|
Firstly, you are not 'using SQL Injection' but avoiding it...
If you create the SqlCommand outside of your loop, and then use SqlCommand.Parameter.Add to create a new SqlParameter object, then simply set its Value and execute the command inside the loop.
__________________
/- Sam Judson : Wrox Technical Editor -/
|
October 19th, 2009, 06:23 AM
|
|
Authorized User
|
|
Join Date: Jul 2009
Posts: 13
Thanks: 0
Thanked 1 Time in 1 Post
|
|
Ok,
It worked.
I placed the command object outside the loop and used the clear method of the command.parameters object to clear the variable-name.
Thank you.
Last edited by 4thhorseman : October 19th, 2009 at 06:29 AM.
|
October 19th, 2009, 06:25 AM
|
|
Friend of Wrox
|
|
Join Date: Jun 2003
Location: Tehran, Iran
Posts: 922
Thanks: 0
Thanked 1 Time in 1 Post
|
|
or u can use Dataset & DataAdapter
u'll add ur items in dataSet\DataTable\DataRow(s) & call Update() method of it
DataAdapter will all make its inserts & ....
__________________
Always[:)],
Hovik Melkomian.
|
October 19th, 2009, 06:35 AM
|
|
Friend of Wrox
|
|
Join Date: Aug 2007
Location: Newcastle, , United Kingdom.
Posts: 1,359
Thanks: 0
Thanked 31 Times in 31 Posts
|
|
I actually meant this:
Code:
currentMessageId = ....
string sqlStr = "INSERT INTO user_messages (M_Id, User_Id) VALUES (@messageId, @userId)";
SqlCommand command = new SqlCommand (sqlStr, sqlConnectionString);
command.Parameters.AddWithValue("messageId", currentMessageId);
SqlParameter userParam = command.Parameters.Add("userId", SqlType.Int);
for (int i = 0; i< listBoxUsers.SelectedItems.Count; i+)
{
row = ((DataRowView)this.listBoxUsers.SelectedItems[i]).Row;
int id = Convert.ToInt16(row[listBoxUsers.ValueMember]);
userParam.Value = id;
command.ExecuteNonQuery();
}
__________________
/- Sam Judson : Wrox Technical Editor -/
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
