rgfirefly24's Profile User Rating: -----

Reputation: 372 Architect
Group:
Author w/DIC++
Active Posts:
1,856 (0.69 per day)
Joined:
07-April 08
Profile Views:
28,995
Last Active:
User is offline Today, 04:45 PM
Currently:
Offline

Previous Fields

Country:
US
OS Preference:
Windows
Favorite Browser:
Chrome
Favorite Processor:
AMD
Favorite Gaming Platform:
XBox
Your Car:
Chevrolet
Dream Kudos:
150

Latest Visitors

Icon   rgfirefly24 has not set their status

Posts I've Made

  1. In Topic: DateTime ParseExact Function implementation

    Posted 31 Jul 2015

    Did you read the msdn article on ParseExact? The format of the string representation must match the specified format exactly. I don't think ParseExact is what you want to use. I would use just Parse, TryParse, or maybe even Convert.ToDateTime(). Beyond that look REAL close at your ParseExact call. What constitutes a string literal in C#? The use of double quotes. Are you using double quotes to denote a string for parameter 2? Also, you don't need to declare a public static for DateTime since the ParseExact is a static function of DateTime and can be called without an instance.

    I would highly suggest you do some more reading on things you are trying to use. Especially if you don't understand basic concepts. Also, you've been told in several of your threads about debugging. If you had debugged you would have found the issue within seconds.
  2. In Topic: DateTime ParseExact Function implementation

    Posted 31 Jul 2015

    You've had enough topics on here that you should know better. However, this is not working is not good enough. tell us WHAT is not working. What output are you getting, what output are you expecting, what errors you are receiving. DateTime.ParseExact() is apart of the mscorlib.dll which should be included in any project you create.

    Also, you have a big glaring error in your ParseExact() call. Take a look at this method signature from the MSDN article:
    public static DateTime ParseExact(
    	string s,
    	string format,
    	IFormatProvider provider
    )
    
    


    Note the Arguments you are passing in vs the parameters it takes. Notice something wrong? For reference here is the MSDN article: https://msdn.microso...(v=vs.100).aspx
  3. In Topic: Using parameters is MS SQL.

    Posted 31 Jul 2015

    Here is the wiki on SQL Injection: https://en.wikipedia.../SQL_injection.

    As for the Stored procedure goes, it would have to be created using Dynamic Sql:

    DECLARE @SQL NVARCHAR(MAX)
    
    SET @SQL = N'SELECT ' + @Columns + ' FROM ' + QUOTENAME(@Database) + '.dbo.' + QUOTENAME(@Table) + ' WHERE @Data = @Data';
    
    EXEC sp_executesql @SQL, '@Data VARCHAR(255)',@Data = @Data;
    
    


    That is the basic idea of Dynamic Sql. The way it is @Columns is still able to be injected, but it's not easily something that can run because it would be a malformed SQL Statement and throw an error. You should also put some checks in place to strip out ;'s and possibly split each of the columns in @Columns and put the []'s around them.

    As far as filling multiple drop downs, your expense from a development standpoint on trying to make a generic way of pulling the data is far greater than any expense your going to have by making multiple database calls. If you find that you're constantly making calls to the database it might be time to look at optimization, caching, and lazy loading.
  4. In Topic: Using parameters is MS SQL.

    Posted 31 Jul 2015

    I would highly suggest that you use a stored procedure to do this instead of trying to do it in code. You are opening yourself up to SQL Injection by concatenating the string together like that.
  5. In Topic: problem with insert records into table

    Posted 30 Jul 2015

    As modi said you don't need a SQLDataAdapter. With that your actually not using it properly. You pass it a Select command and it can generate the INSERT/UPDATE commands for you. What you need is a SQLCommand object. Also you should be using Parameretized queries to protect against SQL Injection.

    EX:

    //Using can be used because SqlConnection and SqlCommand implement IDisposable which 
                //Get's called when the using statement is done.  This takes care of having to close
                //and dispose of the objects for you. 
                using (var con = new SqlConnection(cn))
                {
                    using (var cmd = new SqlCommand("<sproc name> or <Sql Query>",con))
                    {
                        con.Open(); //You need to open the connection or else it can't connect.
    
                        /* This tells the command that it's executing a SQL String against the database and not a Stored Procedure or Direct Table Access.
                         * Options are 
                         * CommandType.Text
                         * CommandType.StoredProcedure
                         * CommandType.TableDirect
                         */
                        cmd.CommandType = CommandType.Text;  
                        
                        //Parameters.AddWithValue will replace a parameter from the SqlString above with the value you give it.  
                        //This will also sanitize it so that if I sent in 1'; DROP TABLE FOO; -- It would take it literally and not as multiple commands
                        cmd.Parameters.AddWithValue("@Param1", "Value1");
    
                        /* This will execute the Command you told it to use.  
                         * For INSERT, UPDATE, and DELETE You can use 
                         * ExecuteNonQuery(); Because it does not return data.
                         * For SELECT you can use one of the following:
                         * cmd.ExecuteReader();
                         * cmd.ExecuteScalar();
                         * cmd.ExecuteXmlReader();
                         */
                        
                        cmd.ExecuteNonQuery();  
                    }
                }
    
    

My Information

Member Title:
D.I.C Lover
Age:
32 years old
Birthday:
February 21, 1983
Gender:
Years Programming:
8
Programming Languages:
C#, VB.NET, Javascript, VBScript

Contact Information

E-mail:
Click here to e-mail me
Website URL:
Website URL  http://

Comments

Page 1 of 1
  1. Photo

    AnalyticLunatic Icon

    06 Feb 2014 - 10:46
    Hey, congrats on the review/raise! Been offline a few days and just now reading through the threads. I've got a 90 day evaluation later this afternoon myself.
Page 1 of 1