How to connect to a SQL database

**Frinavale** · Oct 7 '10, 01:14 PM

You should not be creating your SQL command by concatenating user input directly into it. This leaves you wide open to a SQL Injection attack (where the user inputs SQL instead of the intended value and because you are adding it into your SQL command, their SQL command gets executed). You should be using Parameters to avoid this type of attack.

Please review: How to use a database in your program.

After modifying your code to use parameters, see if it works. You can check the number of rows that were effected by the update by checking the Integer that is returned by the ExecuteNonQuery () method.

-Frinny

**dougancil** · Oct 7 '10, 03:04 PM

Frinny,

If the best way would be to use Parameters to input data directly into my SQL with the drop down lists and text boxes I have, since I'm taking values from the users, what would be the best way to accept input from the users?

Doug

**Frinavale** · Oct 7 '10, 03:21 PM

You accept the input from the users using TextBoxes and DropDownLists and any other types of controls you need to do the task.

Then you validate that the input they provided is correct according to your requirements.

Then you supply the values the input to the SqlCommand using it's Parameters Property so that the user input can be used to query or update your database.

When you use parameters, any user provided input will be treated as a "Literal" instead of as part of the command. It is not compiled into the SQL query/update that you are going to execute.

Does this make sense?

**dougancil** · Oct 7 '10, 03:26 PM

Frinny,

Ok so then because I'm using regular expression validation for most of the text boxes, what you're telling me then is that by using parameters, that instead of doing my validation via expression validation, that I'm shifting away from client validation to server side validation correct? Also if that's the case, can you give me an example of how to capture a text box's input in a sqlcom.paramete rs.add statement?

Thank you,

Doug

**Frinavale** · Oct 7 '10, 03:29 PM

Nope,

I'm telling you to leave all of your validation in.
Do validation client-side and server side...but still participate in good database input-sanitation practices by using parameters.

You should have several layers of data validation and when it comes to entering data into a database you should still use parameters.

-Frinny

**dougancil** · Oct 7 '10, 03:32 PM

Ok so since I've never worked with parameters before, can you give me an example so I won't have to come back later and ask.

Thank you

Doug

**Frinavale** · Oct 7 '10, 03:48 PM

Follow either the SqlCommand.Para meters Property link I posted or the How to use a database in your program link I posted...

They both have examples on how to use parameters.

-Frinny

**dougancil** · Oct 7 '10, 04:01 PM

Frinny,

What I don't know is how to pass the parameters from a text box to the add.parameters. That's my question.

I can understand the structure but don't understand where the textbox or dropdown values would be in the statements.

**Frinavale** · Oct 7 '10, 04:25 PM

I see.

Like this:

Code:

    Dim connectionString As String = "Data Source=10.2.1.41;Initial Catalog=MDR;uid=xxxxx;password=xxxxxxx"
   
    Dim commandText As String = _
        "insert into Exceptions2 " & _
        "values(@exceptiondate, @starttime, @address, @endtime, @duration)"


    Using connection As New SqlConnection(connectionString)
        Dim command As New SqlCommand(commandText, connection)
        command.Parameters.Add("@exceptiondate", SqlDbType.VarChar)
        command.Parameters("@exceptiondate").Value = exceptiondateInput.Text

        command.Parameters.Add("@starttime", SqlDbType.VarChar)
        command.Parameters("@starttime").Value = starttimeInput.Text

        command.Parameters.Add("@address", SqlDbType.VarChar)
        command.Parameters("@address").Value = txtAddress.Text

        command.Parameters.Add("@endtime", SqlDbType.VarChar)
        command.Parameters("@endtime").Value = endtimeInput.Text


        command.Parameters.Add("@duration", SqlDbType.VarChar)
        command.Parameters("@duration").Value = duration.Text

        Try
            connection.Open()
            Dim rowsAffected As Integer = command.ExecuteNonQuery()
          
        Catch ex As Exception
            myErrorMessageLabel.Text = ex.Message
        End Try
    End Using

-Frinny

**dougancil** · Oct 7 '10, 04:35 PM

Frinny thanks. That helps a lot. One last question, what's the best way to pass my dropdown list variables to the sql server? This one is databound

Code:

<asp:DropDownList ID="OperatorDropdown" runat="server" 
            DataSourceID="SqlDataSource1" DataTextField="employeenumber" 
            DataValueField="employeenumber" Height="23px" Width="130px">
        </asp:DropDownList>
        <asp:SqlDataSource ID="SqlDataSource1" runat="server" 
            ConnectionString="<%$ ConnectionStrings:MDRConnectionString %>" 
            SelectCommand="SELECT [employeenumber] FROM [Employees]">
        </asp:SqlDataSource>

While the other two are not.

**Frinavale** · Oct 7 '10, 04:38 PM

I haven't worked with bound DropDownLists in the past but I would think that you could just access the OperatorDropdow n.SelectedItem. Value property and set the parameter's value to it... like I did above.

**dougancil** · Oct 7 '10, 04:50 PM

so like this for the databound dropdown?

Code:

command.Parameters.Add("@employeenumber", SqlDbType.Varchar)
        command.Parameters("@employeenumber".value = OperatorDropdown.SelectedItem.Value

and like this for the non-databound?

Code:

command.Parameters.Add("@code", SqlDbType.Varchar)
        command.Parameters("@code").Value = listitem.value

**Frinavale** · Oct 7 '10, 05:01 PM

You're missing a")" in your code. It should be....

Code:

command.Parameters.Add("@employeenumber", SqlDbType.Varchar)
command.Parameters("@employeenumber").value = OperatorDropdown.SelectedItem.Value

When you bind your DropDownList you set the DataTextField and the DataValueField properties. These are not necessarily the same thing (in your case they are set to the same thing). You would need to choose the correct "SelectedIt em" property accordingly. In your case either OperatorDropdow n.SelectedItem. Value or OperatorDropdow n.SelectedItem. Text will work.

**dougancil** · Oct 7 '10, 05:42 PM

Frinny,

What about for the non-bound dropdown? Is that correct? Oh and thank you for pointing out the missing ")". I corrected that.

How to connect to a SQL database

How to connect to a SQL database

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment