PlausiblyDamp
Administrators-
Posts
7016 -
Joined
-
Last visited
Content Type
Profiles
Forums
Blogs
Events
Articles
Resources
Downloads
Gallery
Everything posted by PlausiblyDamp
-
Quick Guide to Parametrising SQL Jump to the bit on using parameters Often when interacting databases we need to provide information to the database that can only be obtained at runtime (this could be from user input, other programmatic means or similar). Two potential approaches to this problem involve either parametrising the database code or relying on string concatenation. In this post I hope to show why concatenation is bad and parameters are good. To keep things simple I am using the simplest code I can and deliberately ignoring non-essential error handling, for similar reasons I am also choosing not to use stored procedures. I am choosing Northwind as the database as this is available to anyone with SQL or MS access but the ideas will convert to other database platforms. Another point to bear in mind is these problems will occur with any form of string concatenation be they String.Format, StringBuilder or some other means. Why not parametrising is bad A typical example of how to perform a query based on user input could look like the following (the example has a simple form with a button, textbox and datagrid - should work in either a web or windows environment) For sql server Dim conn As New SqlConnection("Data Source=.;Initial Catalog=Northwind;Integrated Security=true") Dim sql As String = "SELECT ProductID, ProductName FROM Products WHERE ProductName Like '" & TextBox1.Text & "%'" Dim cmd As New SqlCommand(sql, conn) Dim ds As New DataSet Dim da As New SqlDataAdapter(cmd) debug.WriteLine(sql) 'Lets us see the sql just before it is executed! da.Fill(ds) DataGridView1.DataSource = ds.Tables(0) 'DataBind 'Uncomment this line if a web application or for access Dim conn As New OleDbConnection("Provider=Microsoft.Jet.OLEDB.4.0;Data Source=Nwind.mdb;Persist Security Info=True") Dim sql As String = "SELECT ProductID, ProductName FROM Products WHERE ProductName Like '" & TextBox1.Text & "%'" Dim cmd As New OleDbCommand(sql, conn) Dim ds As New DataSet Dim da As New OleDbDataAdapter(cmd) Debug.WriteLine(sql) da.Fill(ds) DataGridView1.DataSource = ds.Tables(0) 'DataBind 'Uncomment this line if a web application To see the application work try entering a value of chef into the textbox and see the resulting values. Notice this works and is simple, the initial reaction is therefore to use this method. notice the line Dim sql As String = "SELECT ProductID, ProductName FROM Products WHERE ProductName Like '" & TextBox1.Text & "%'" is the one that builds the query by concatenating the contents of a textbox with a sql string, it is this concatenation that causes our potential problems. Problem 1 Maybe not a big problem but consider how complex the string building will get if the query is a multiple table join, with multiple textboxes that get concatenated into the sql query. How about if my code needs to use the " character? All of these situations can result in a piece of code spanning multiple lines, maintenance is not it's strong point ;) If this runs but the results are wrong how do we pinpoint the problem - is the SQL correct but the code we are using to build it wrong; is the SQL wrong but at least we are building it correctly; both bits of code are wrong and we really have our work cut out. Problem 2 To get a little more adventurous try searching for the string Chef Anton's and suddenly our system isn't running as smoothly... If you look at the resultant SQL (as displayed in the output window by the Debug.WriteLine(sql)) it looks like SELECT ProductID, ProductName FROM Products WHERE ProductName Like 'Chef Anton's%' Notice the end of the statement 'Chef Anton's%' contains invalid sql due to the single ' character contained within our textbox. If we need to search / insert etc. data that may contain this character we now have a major problem to contend with. Problem 3 change the sql assignment to 'sql server users use Dim sql As String = "SELECT FirstName,LastName FROM Employees WHERE HireDate ='" & TextBox1.Text & "'" 'oledb people use Dim sql As String = "SELECT FirstName,LastName FROM Employees WHERE HireDate =#" & TextBox1.Text & "#" and now try querying the value 17/10/1993 and see the results, also try 10/17/1993 and compare. I would like to tell you the results but there are no guarantees here. On my pc either value worked on the oledb version, while 17/10/1993 throws an exception and 10/17/1993 works against sql server. This is a result of us passing strings to the database that the database then needs to interpret correctly. Differences in client / server locale settings and user input formats can all cause problems here. Problem 4 Firstly if you are using Access then inherent limitations of it's SQL engine prevent this problem occurring, for most other databases however this is a valid and very dangerous problem. Let's revert back to the original sql string Dim sql As String = "SELECT ProductID, ProductName FROM Products WHERE ProductName Like '" & TextBox1.Text & "%'" and we will try something a little more fun. We already know that putting a single ' into the text box causes an error because the code then adds an additional ' to the end. Therefore if we search for a very simple - but invalid string like x' we will see the same error as before with the resultant sql being SELECT ProductID, ProductName FROM Products WHERE ProductName Like 'x'%' Notice if we change the textbox contents to x' -- then the resultant sql looks like SELECT ProductID, ProductName FROM Products WHERE ProductName Like 'x' --%' although this doesn't return any data neither is it crashing! By commenting out the extra ' character we now have well formed sql code again. Now enter the following into the text box and see what happens x' INSERT Employees (FirstName,LastName) VALUES('get here?','How did this') -- this gives us a resulting sql string of SELECT ProductID, ProductName FROM Products WHERE ProductName Like 'x' INSERT Employees (FirstName,LastName) VALUES('get here?','How did this') --%' What would you expect to happen if you ran this against your server? If you have been following along you have just ran this against your server - go have a look in the Employees table and check the last entry ;) If the above points haven't convinced you that string concatenation is bad then I'm probably fighting a losing battle and you might as well ignore the rest of this post. If you have encountered any of the above you may have also come across means of preventing them (detecting invalid characters, regular expressions, encoding and decoding characters etc.) these may work but can often involve more effort than simply doing things correctly in the first place.
-
Visual Studio can certainly be a bit of a resource hog and the performance can really suffer depending on the hardware you are running on. I must admit that I haven't noticed too many issues on the more recent versions though, plus 2010 and later get a lot of nice features as well.
-
One way would be to pass the form into the other class when you create it, the other class could have a constructor that takes a parameter of your form.
-
Rather than close the form couldn't you keep it open but hidden? That way you would be able to maintain a reference to it at all times and use the .Invoke() method to handle cross thread calls.
-
As far as I am aware the way Gmail and Outlook handle the attachment is specific to each application. The Accept and Reject buttons are provided by Outlook and there isn't a similar feature built into Gmail.
-
Doesn't look like it uses flash, all the prices are in the html itself. Parsing that is another matter entirely - if you search around these forums or at the sister site (http://www.xtremevbtalk.com/) you should find plenty of topics on parsing html.
-
Is the flash app inside an aspx page? What kind of data are you trying to download? Is this going to be continuous or a one time download? What are you planning on doing with the information from flash?
-
As far as I remember is should run fine under windows 7 a long as you have applied any service packs to visual studio I think there was only ever a Sp1 anyway and a specific update for vista. Easiest place to get them is Sp1 - http://www.microsoft.com/en-us/download/details.aspx?DisplayLang=en&id=5553 Vista Update - http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=7524
-
DateTime is less 8 hours after serializing & deserializing
PlausiblyDamp replied to lamy's topic in ASP.NET
It looks like it is failing to handle timezone offsets correctly, in all honesty I don't use JavaScriptSerializer myself as I have found several issues with it. http://james.newtonking.com/json is a far better library for handling this kind of thing (even Micorsoft use it in preference to their own code in the MVC framework). In fact you can install it directly with Nuget (just search for json.net) if you prefer an easy life. -
You could always use the .CompareTo method of a version object - if you use it to compare two versions and it returns 0 then they are the same. Out of interest is there a reason why you only want it to run on Windows 7 and not later versions?
-
You could always use the .CompareTo method of a version object - if you use it to compare two versions and it returns 0 then they are the same. Out of interest is there a reason why you only want it to run on Windows 7 and not later versions?
-
Forcing windows font system size to 100%
PlausiblyDamp replied to EFileTahi-A's topic in Windows Forms
It would be far, far better to try and adapt to the user's settings as opposed to overriding them. If a user has selected a particular font size they have probably done this for a reason, ignoring this setting will often leave the application unusable for these users. As a rule saying will often result in users not using your application. If you are using WinForms for your app then built in controls such as the TableLayoutPanel can be a big help in laying out your app and coping with different screen resolutions and sizes. Same can be said for using the Dock and Anchor properties of a control. http://support.microsoft.com/kb/182070 gives a technique or two for handling resizing of controls (example is in VB but shouldn't be too hard to follow regardless). -
Expression blend will allow you to edit a copy of a control's template - right click on it and there should be an option to "Edit Template" - if you select copy you will get the XAML for the control template. That would allow you to see how the UI part of the control is built.
-
As far as I am aware it only natively supports it's own XAML resource format for 3d models, there are plenty of converters / plugins for all the major formats and tools though.
-
If you are in the Form_Closing event then the form is already closing, calling Me.Close() will start closing the form again.
-
Trying to Understand the Finer Details of Custom Events
PlausiblyDamp replied to Recondaddy's topic in General
In the Class2 constructor you are doing parentClass = new Form1(); this is creating a new instance of the Form1 class and then attaching your event handlers to that instance. This is a bit like setting your alarm clock, going to the shops and buying a new alarm clock and expecting it to wake you up at the correct time. If you want to handle events from the original Form1 instance you would need to pass this instance to Class2 rather than create a new instance. -
A Class Instantiating an Instance of Itself??
PlausiblyDamp replied to Recondaddy's topic in General
In that example the class is being instantiated from the Main method, this method is declared as static and cannot access any instance members only static ones such as Subroutine1 , by creating an instance of the Program class the Main method can access instance members such as Subroutine2 through the program instance. -
root.AppendChild(elemTicketIndex) shouldn't that be elem.AppendChild(elemTicketIndex) instead? What version of .Net are you using btw? If you are on .Net 3 or later then there are much nicer ways of working with XML.
-
If you are using Asp.Net 2.0 then it already has built in providers for managing users and roles, unless you have an overriding reason to do all the work yourself using the built in support will be far easier. If you are going to do this yourself then you have some issues you need to address: Firstly the line of code string strSQL = "Select * FROM UserList where ULoginId ='" + uname + "' AND UPassword ='" + password + "'"; leaves you wide open to sql injection attacks, which in this situation can leave your entire security system worthless. http://www.xtremedotnettalk.com/showthread.php?p=463520#post463520 gives more details on what this means. As a quick one though run your application and enter any username and any password at all, however make sure the password field has ' OR 1 = 1 -- at the end and notice the login is being bypassed. Secondly storing the password in plain text is a big security risk, anyone who can get access to the database (in fact the first point above means just about anyone can do this) could get a list of usernames and passwords making the entire system a risk. This could be worse as often people will use the same password for multiple systems and all of them are now compromised - you really should be storing a hash of the password not the password itself.
-
Which line is throwing the error? What is the error that is being thrown?
-
There isn't a one to one mapping between namespaces and dlls, it looks as though the System.ComponentModel.Design namespace is split between those two dlls.
-
What would cause Problem Signature 09: System.ObjectDisposedException?
PlausiblyDamp replied to TexasAggie's topic in General
Is this your code or a third party application? If it is your code then does this occur when running under a debugger? If so what line throws this error? The error message itself does explain the underlying problem though, somewhere in the code there has been an attempt to use an object that has been disposed of and the object in question is raising this error. -
Serial Ports Communication (Ports dont show up)
PlausiblyDamp replied to andicom's topic in Windows Forms
If you did it while running under a debugger I would expect it to show the contents of the myPort variable. -
Serial Ports Communication (Ports dont show up)
PlausiblyDamp replied to andicom's topic in Windows Forms
If you put a breakpoint on the line in question and run the app directly from visual studio (F5) then it will enter the debugger when that line is hit. If you then step over that line of code and hover the mouse over the variable myPort you should be able to see it's contents. -
Serial Ports Communication (Ports dont show up)
PlausiblyDamp replied to andicom's topic in Windows Forms
If you put a break point on the line Dim myPort As String() = SerialPort.GetPortNames() 'an array to store list of available ports is the array being populated with the available ports? When you run the application is anything appearing in the dropdown portion of the combobox?