|
web
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Is this the most efficient/fastest code to use? (beginner sql question)I have a web application in .net v2 VB that requires multiple reads from sql tables where each read is slightly different - so the sql select statements also differ frequently. I've created a few functions in an .ascx file to handle these reads and send them back to the main code. 2 examples are below. Each works - the first returns a single integer value, the second returns the entire row that contains a mix of integers, boolean, and strings. Other similiar functions I've written write data using slightly different versions for writing strings or integers. Because I'm using these or similar functions frequently in the application, I'm wondering whether this is the best way to accomplish these tasks or whether there is a faster, more efficient method to do what I'm doing. Comments? Thanks in advance Jeff Function GetIntAnswer(ByVal CurrQuestion As String) As Integer Dim TableP As System.Data.DataView Dim sb As New StringBuilder("select ") sb.Append(CurrQuestion) sb.Append(" from Answers where ID = ") sb.Append(Session("ID")) SqlAnswers.SelectCommand = sb.ToString TableP = SqlAnswers.Select(DataSourceSelectArguments.Empty) Return TableP.Item(0)(0) End Function Function GetInfo() As System.Data.DataView Dim sb As New StringBuilder("select * from Questions where QuestionNu = ") sb.Append(Session("QuestionPointer")) SqlQuestions.SelectCommand = sb.ToString Return SqlQuestions.Select(DataSourceSelectArguments.Empty) End Function Hello Jeff,
All together now, smile and say, "SQL INJECTION ATTACK!" *click*. Become intimately familliar with SqlParameter and SqlCommand. -Boo Show quoteHide quote > ...another beginnger question. > > I have a web application in .net v2 VB that requires multiple reads > from sql tables where > > each read is slightly different - so the sql select statements also > differ frequently. I've created a > > few functions in an .ascx file to handle these reads and send them > back to the main code. > > 2 examples are below. Each works - the first returns a single integer > value, the second returns the entire row > > that contains a mix of integers, boolean, and strings. Other similiar > functions I've written write data using slightly > > different versions for writing strings or integers. > > Because I'm using these or similar functions frequently in the > application, I'm wondering whether this is the best way to accomplish > > these tasks or whether there is a faster, more efficient method to do > what I'm doing. Comments? > > Thanks in advance > Jeff > Function GetIntAnswer(ByVal CurrQuestion As String) As Integer > Dim TableP As System.Data.DataView > Dim sb As New StringBuilder("select ") > sb.Append(CurrQuestion) > sb.Append(" from Answers where ID = ") > sb.Append(Session("ID")) > SqlAnswers.SelectCommand = sb.ToString > TableP = SqlAnswers.Select(DataSourceSelectArguments.Empty) > Return TableP.Item(0)(0) > End Function > Function GetInfo() As System.Data.DataView > Dim sb As New StringBuilder("select * from Questions where > QuestionNu = ") > sb.Append(Session("QuestionPointer")) > SqlQuestions.SelectCommand = sb.ToString > Return SqlQuestions.Select(DataSourceSelectArguments.Empty) > End Function I've done some small amount of reading about injection attacks and have the general idea. Could you help out someone new and give me
a bit more detail about what the vulnerability here is and a bit more detail about how to address it? If you're speaking about the fact that there are text boxes, yes, I'm aware of that problem and will incorporate validation into the application. In the meantime, I'll attempt to read up as much as I can about SqlParameter and SqlCommand. Thanks for whatever you have time to offer... Jeff Show quoteHide quote "GhostInAK" <ghosti***@gmail.com> wrote in message news:be1391bf193aa8c8ab860f879830@news.microsoft.com... > Hello Jeff, > > All together now, smile and say, "SQL INJECTION ATTACK!" *click*. > > Become intimately familliar with SqlParameter and SqlCommand. > > -Boo > > > ...another beginnger question. > > > > I have a web application in .net v2 VB that requires multiple reads > > from sql tables where > > > > each read is slightly different - so the sql select statements also > > differ frequently. I've created a > > > > few functions in an .ascx file to handle these reads and send them > > back to the main code. > > > > 2 examples are below. Each works - the first returns a single integer > > value, the second returns the entire row > > > > that contains a mix of integers, boolean, and strings. Other similiar > > functions I've written write data using slightly > > > > different versions for writing strings or integers. > > > > Because I'm using these or similar functions frequently in the > > application, I'm wondering whether this is the best way to accomplish > > > > these tasks or whether there is a faster, more efficient method to do > > what I'm doing. Comments? > > > > Thanks in advance > > Jeff > > Function GetIntAnswer(ByVal CurrQuestion As String) As Integer > > Dim TableP As System.Data.DataView > > Dim sb As New StringBuilder("select ") > > sb.Append(CurrQuestion) > > sb.Append(" from Answers where ID = ") > > sb.Append(Session("ID")) > > SqlAnswers.SelectCommand = sb.ToString > > TableP = SqlAnswers.Select(DataSourceSelectArguments.Empty) > > Return TableP.Item(0)(0) > > End Function > > Function GetInfo() As System.Data.DataView > > Dim sb As New StringBuilder("select * from Questions where > > QuestionNu = ") > > sb.Append(Session("QuestionPointer")) > > SqlQuestions.SelectCommand = sb.ToString > > Return SqlQuestions.Select(DataSourceSelectArguments.Empty) > > End Function > > Hello Jeff,
Between doin your homework on sql injection attacks and reading the MSDN doco on SqlParameter and SqlCommand.. you should be golden. -Boo Show quoteHide quote > I've done some small amount of reading about injection attacks and > have the general idea. Could you help out someone new and give me > > a bit more detail about what the vulnerability here is and a bit more > detail about how to address it? If you're speaking about the > > fact that there are text boxes, yes, I'm aware of that problem and > will incorporate validation into the application. In the > > meantime, I'll attempt to read up as much as I can about SqlParameter > and SqlCommand. > > Thanks for whatever you have time to offer... > > Jeff > > "GhostInAK" <ghosti***@gmail.com> wrote in message > news:be1391bf193aa8c8ab860f879830@news.microsoft.com... > >> Hello Jeff, >> >> All together now, smile and say, "SQL INJECTION ATTACK!" *click*. >> >> Become intimately familliar with SqlParameter and SqlCommand. >> >> -Boo >> >>> ...another beginnger question. >>> >>> I have a web application in .net v2 VB that requires multiple reads >>> from sql tables where >>> >>> each read is slightly different - so the sql select statements also >>> differ frequently. I've created a >>> >>> few functions in an .ascx file to handle these reads and send them >>> back to the main code. >>> >>> 2 examples are below. Each works - the first returns a single >>> integer value, the second returns the entire row >>> >>> that contains a mix of integers, boolean, and strings. Other >>> similiar functions I've written write data using slightly >>> >>> different versions for writing strings or integers. >>> >>> Because I'm using these or similar functions frequently in the >>> application, I'm wondering whether this is the best way to >>> accomplish >>> >>> these tasks or whether there is a faster, more efficient method to >>> do what I'm doing. Comments? >>> >>> Thanks in advance >>> Jeff >>> Function GetIntAnswer(ByVal CurrQuestion As String) As Integer >>> Dim TableP As System.Data.DataView >>> Dim sb As New StringBuilder("select ") >>> sb.Append(CurrQuestion) >>> sb.Append(" from Answers where ID = ") >>> sb.Append(Session("ID")) >>> SqlAnswers.SelectCommand = sb.ToString >>> TableP = SqlAnswers.Select(DataSourceSelectArguments.Empty) >>> Return TableP.Item(0)(0) >>> End Function >>> Function GetInfo() As System.Data.DataView >>> Dim sb As New StringBuilder("select * from Questions where >>> QuestionNu = ") >>> sb.Append(Session("QuestionPointer")) >>> SqlQuestions.SelectCommand = sb.ToString >>> Return SqlQuestions.Select(DataSourceSelectArguments.Empty) >>> End Function 
Other interesting topics
Detect mouse movement from minimized application
Build a Program Now! VB2005 BackgroundWorker thread locking UI Help with System.Timers.Timer in a module how to do this? "File is being used by another process" - error Form & Designer File Becoming Separated date/time in different formats text file problem Tooltip problem |
|||||||||||||||||||||||
