Welcome Guest ( Log In | Register )

Outline · [ Standard ] · Linear+

 c# code problem

views
     
TSmike9407
post Sep 17 2016, 10:05 AM, updated 8y ago

On my way
****
Junior Member
604 posts

Joined: May 2015
CODE
private void okbtn_Click(object sender, EventArgs e)
       {
           OleDbConnection conn = new OleDbConnection();
           conn.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=Desktop\GameMuseumManagementSystem.accdb";
         
           try
           {
               conn.Open();
               String Name = txtName.Text.ToString();
               String Email = txtEmail.Text.ToString();
               String Password = txtPassword.Text.ToString();
               String my_querry = "INSERT INTO Member(Member_Name,Member_Password,Member_Email)VALUES('" + Name + "','" + Email + "','" + Password + "')";

               OleDbCommand cmd = new OleDbCommand(my_querry, conn);
               cmd.ExecuteNonQuery();

         
           }
           catch (Exception ex)
           {
               MessageBox.Show("Error" + ex.Message);
           }
           using
           {
               conn.Close();
           }


       }


i want the user after press ok button then he has sucessfully became a member and the data stored in microsoft access database and i need to use SQL injection,how to fix my code?is it syntax error?

This post has been edited by mike9407: Sep 17 2016, 06:31 PM
narf03
post Sep 17 2016, 05:47 PM

Look at all my stars!!
*******
Senior Member
4,544 posts

Joined: Dec 2004
From: Metro Prima, Kuala Lumpur, Malaysia, Earth, Sol


1) you need to explain in better english what you want to do.
2) you mistaken what is SQL injection, its a hacking technique.
3) you need to provide us with error message
4) try to use "code" tag, it will keep your spaces, tabs intact.

TSmike9407
post Sep 17 2016, 06:32 PM

On my way
****
Junior Member
604 posts

Joined: May 2015
what should i do now?
narf03
post Sep 18 2016, 01:57 PM

Look at all my stars!!
*******
Senior Member
4,544 posts

Joined: Dec 2004
From: Metro Prima, Kuala Lumpur, Malaysia, Earth, Sol


Read my response 1-3 again.
StormFur
post Sep 18 2016, 03:00 PM

New Member
*
Newbie
3 posts

Joined: Sep 2016


CODE

private void okbtn_Click(object sender, EventArgs e)
      {
          OleDbConnection conn = new OleDbConnection();
          conn.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=Desktop\GameMuseumManagementSystem.accdb";
       
          try
          {
              conn.Open();
              //This is pointless, a .Text extension is already a string, you dont need to convert it .ToString again. Furthermore you are passing that value
              //into a string.
              //Should be like this
              String Name = txtName.Text;
              String Email = txtEmail.Text;
              String Password = txtPassword.Text;
              //String Name = txtName.Text.ToString();
              //String Email = txtEmail.Text.ToString();
              //String Password = txtPassword.Text.ToString();
             
              //You're Sql Query is wrong, so thats why you are getting an error. Remember to have spaces. See the differences.
              //String my_querry = "INSERT INTO Member(Member_Name,Member_Password,Member_Email)VALUES('" + Name + "','" + Email + "','" + //Password + "')";
              String my_querry = "INSERT INTO Member (Member_Name,Member_Password,Member_Email) VALUES(@name,@email,@password)";
             
              OleDbCommand cmd = new OleDbCommand(my_querry, conn);

              command.Parameters.AddWithValue("@name",Name);
              command.Parameters.AddWithValue("@email",Email);
              command.Parameters.AddWithValue("@password",Password);

              cmd.ExecuteNonQuery();
          }
          catch (Exception ex)
          {
              MessageBox.Show("Error" + ex.Message);
          }
          //What is this? It should be Finally
          //using
          finally
          {
              conn.Close();
          }



Dont pass variables into a string like that when Inserting data into SQL. It is not safe and exposed to SQL Injection.
You the command.Parameters like i have shown.

Sometimes your Sql Query gets a little bit longer and you want to write the code like this:

CODE

string sql = "SELECT Name,Password,Email from Member "; //See the Space that im giving at the end
sql += "Where Name = @name"; //Always use parameter for passing variable into Sql Query

cmd.Parameters.AddWithValue("@name", "mike9407");

TSmike9407
post Sep 18 2016, 05:32 PM

On my way
****
Junior Member
604 posts

Joined: May 2015
QUOTE(StormFur @ Sep 18 2016, 03:00 PM)
CODE

private void okbtn_Click(object sender, EventArgs e)
      {
          OleDbConnection conn = new OleDbConnection();
          conn.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=Desktop\GameMuseumManagementSystem.accdb";
       
          try
          {
              conn.Open();
              //This is pointless, a .Text extension is already a string, you dont need to convert it .ToString again. Furthermore you are passing that value
              //into a string.
              //Should be like this
              String Name = txtName.Text;
              String Email = txtEmail.Text;
              String Password = txtPassword.Text;
              //String Name = txtName.Text.ToString();
              //String Email = txtEmail.Text.ToString();
              //String Password = txtPassword.Text.ToString();
             
              //You're Sql Query is wrong, so thats why you are getting an error. Remember to have spaces. See the differences.
              //String my_querry = "INSERT INTO Member(Member_Name,Member_Password,Member_Email)VALUES('" + Name + "','" + Email + "','" + //Password + "')";
              String my_querry = "INSERT INTO Member (Member_Name,Member_Password,Member_Email) VALUES(@name,@email,@password)";
             
              OleDbCommand cmd = new OleDbCommand(my_querry, conn);

              command.Parameters.AddWithValue("@name",Name);
              command.Parameters.AddWithValue("@email",Email);
              command.Parameters.AddWithValue("@password",Password);

              cmd.ExecuteNonQuery();
          }
          catch (Exception ex)
          {
              MessageBox.Show("Error" + ex.Message);
          }
          //What is this? It should be Finally
          //using
          finally
          {
              conn.Close();
          }



Dont pass variables into a string like that when Inserting data into SQL. It is not safe and exposed to SQL Injection.
You the command.Parameters like i have shown.

Sometimes your Sql Query gets a little bit longer and you want to write the code like this:

CODE

string sql = "SELECT Name,Password,Email from Member "; //See the Space that im giving at the end
sql += "Where Name = @name"; //Always use parameter for passing variable into Sql Query

cmd.Parameters.AddWithValue("@name", "mike9407");

*
so when my button click ok,will it automatic store in microsoft accesss?

TSmike9407
post Sep 18 2016, 05:53 PM

On my way
****
Junior Member
604 posts

Joined: May 2015
QUOTE(StormFur @ Sep 18 2016, 03:00 PM)
CODE

private void okbtn_Click(object sender, EventArgs e)
      {
          OleDbConnection conn = new OleDbConnection();
          conn.ConnectionString = @"Provider=Microsoft.ACE.OLEDB.12.0;Data Source=Desktop\GameMuseumManagementSystem.accdb";
       
          try
          {
              conn.Open();
              //This is pointless, a .Text extension is already a string, you dont need to convert it .ToString again. Furthermore you are passing that value
              //into a string.
              //Should be like this
              String Name = txtName.Text;
              String Email = txtEmail.Text;
              String Password = txtPassword.Text;
              //String Name = txtName.Text.ToString();
              //String Email = txtEmail.Text.ToString();
              //String Password = txtPassword.Text.ToString();
             
              //You're Sql Query is wrong, so thats why you are getting an error. Remember to have spaces. See the differences.
              //String my_querry = "INSERT INTO Member(Member_Name,Member_Password,Member_Email)VALUES('" + Name + "','" + Email + "','" + //Password + "')";
              String my_querry = "INSERT INTO Member (Member_Name,Member_Password,Member_Email) VALUES(@name,@email,@password)";
             
              OleDbCommand cmd = new OleDbCommand(my_querry, conn);

              command.Parameters.AddWithValue("@name",Name);
              command.Parameters.AddWithValue("@email",Email);
              command.Parameters.AddWithValue("@password",Password);

              cmd.ExecuteNonQuery();
          }
          catch (Exception ex)
          {
              MessageBox.Show("Error" + ex.Message);
          }
          //What is this? It should be Finally
          //using
          finally
          {
              conn.Close();
          }



Dont pass variables into a string like that when Inserting data into SQL. It is not safe and exposed to SQL Injection.
You the command.Parameters like i have shown.

Sometimes your Sql Query gets a little bit longer and you want to write the code like this:

CODE

string sql = "SELECT Name,Password,Email from Member "; //See the Space that im giving at the end
sql += "Where Name = @name"; //Always use parameter for passing variable into Sql Query

cmd.Parameters.AddWithValue("@name", "mike9407");

*
btw where can i get this "Provider=Microsoft.ACE.OLEDB.12.0 from my microsoft access?
StormFur
post Sep 18 2016, 10:04 PM

New Member
*
Newbie
3 posts

Joined: Sep 2016


QUOTE(mike9407 @ Sep 18 2016, 05:53 PM)
btw where can i get this "Provider=Microsoft.ACE.OLEDB.12.0 from my microsoft access?
*
Why use MS Access? Data can be corrupted easily.
Use MySql instead. Its free.
narf03
post Sep 19 2016, 01:57 AM

Look at all my stars!!
*******
Senior Member
4,544 posts

Joined: Dec 2004
From: Metro Prima, Kuala Lumpur, Malaysia, Earth, Sol


QUOTE(StormFur @ Sep 18 2016, 10:04 PM)
Why use MS Access? Data can be corrupted easily.
Use MySql instead. Its free.
*
mysql require installation.
StormFur
post Sep 19 2016, 11:08 AM

New Member
*
Newbie
3 posts

Joined: Sep 2016


QUOTE(narf03 @ Sep 19 2016, 01:57 AM)
mysql require installation.
*
Ofcourse it requires installation.
If you dont want any installation, use textfile instead.
narf03
post Sep 19 2016, 01:18 PM

Look at all my stars!!
*******
Senior Member
4,544 posts

Joined: Dec 2004
From: Metro Prima, Kuala Lumpur, Malaysia, Earth, Sol


QUOTE(StormFur @ Sep 19 2016, 11:08 AM)
Ofcourse it requires installation.
If you dont want any installation, use textfile instead.
*
Access db does not
TSmike9407
post Sep 19 2016, 08:48 PM

On my way
****
Junior Member
604 posts

Joined: May 2015
QUOTE(mike9407 @ Sep 18 2016, 05:53 PM)
btw where can i get this "Provider=Microsoft.ACE.OLEDB.12.0 from my microsoft access?
*
bro,my access db the member table got 1 member_ID attribute which is automatic generate ID,cant insert one,then what should i do now?
do the insert method has error or what?
sivakl2001
post Sep 19 2016, 09:30 PM

New Member
*
Junior Member
22 posts

Joined: Sep 2010


You try the code first. if you get any error message then post here. you will get help.
narf03
post Sep 19 2016, 10:29 PM

Look at all my stars!!
*******
Senior Member
4,544 posts

Joined: Dec 2004
From: Metro Prima, Kuala Lumpur, Malaysia, Earth, Sol


QUOTE(mike9407 @ Sep 19 2016, 08:48 PM)
bro,my access db the member table got 1 member_ID attribute which is automatic generate ID,cant insert one,then what should i do now?
do the insert method has error or what?
*
auto is designed to auto fill in, so u just ignore that field when you insert

like insert into Table1(FieldB, FieldC) Values(1,2)

Where You your FieldA is the auto
whences71
post Sep 24 2016, 11:49 PM

New Member
*
Newbie
3 posts

Joined: Sep 2016
From: San Diego, CA


I've got a lot of helpful solutions, many thanks guys.
geekster129
post Oct 11 2016, 09:58 PM

Janitor
******
Senior Member
1,180 posts

Joined: Jan 2007
From: *awaiting GPS accuracy*



Assuming everything works, the SQL statement will insert wrong data to the wrong field:

String my_querry = "INSERT INTO Member(Member_Name,Member_Password,Member_Email)VALUES('" + Name + "','" + Email + "','" + Password + "')";

I can see that you are assigning Email into Member_Password field and Password into Member_Email field in Access

 

Change to:
| Lo-Fi Version
0.0195sec    0.33    5 queries    GZIP Disabled
Time is now: 29th March 2024 - 01:47 PM