Click here to Skip to main content
15,889,992 members
Search within:


What is the good way to write this in C#?
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
C#
C#
string query2 = "select * from [next] where id='" + txtCIVILIDD.Text + "'";
            SqlCommand command = new SqlCommand(query2, con);
            SqlDataAdapter adapter = new SqlDataAdapter(command);
            con.Open();
            command = new SqlCommand("INSERT INTO next (id,time,clock,username,Name_Arabic,gender) VALUES('" + txtCIVILIDD.Text + "','" + txttime.Text + "','" + txtclock.Text + "','" + txtusername.Text + "','" + txtName_Arabic.Text + "','" + CBgender.Text + "')", con);
            command.ExecuteNonQuery();
            con.Close();


im new in coding i want to find what is the good way to write this code in my c# program someone tell me that way is wrong but it work good for me so i want to know why ??

What I have tried:

i don't know the good way for it i know that i have sql injection
Posted
Updated 24-Jan-19 1:37am
Add a Solution

4 solutions

At a quick glance, there are a couple of issues in your code. The first thing is that your code is wide open to something known as a Sql Injection Attack. This[^] article explains what they are and how you can prevent them.

The second thing is that you have code in there that you cannot guarantee will call Dispose when you are finished with resources. This means that resources may not be released, which can lead to things like memory leaks or resource starvation (which means that a resource you rely on, such as a database connection, may be unavailable to you because you have used them all up). The common way to solve this problem is to use a using statement to wrap up objects that implement IDisposable. Something like this:
C#
using (SqlConnection con = new SqlConnection(myConnectionString))
{
  // Do my work
} // When the application reaches this point, it will automatically call con.Dispose()
 
Share this answer
 
Posted
Comments
CPallini 24-Jan-19 3:10am    
5.
Pete O'Hanlon 24-Jan-19 5:51am    
Thanks
C#
command = new SqlCommand("INSERT INTO next (id,time,clock,username,Name_Arabic,gender) VALUES('" + txtCIVILIDD.Text + "','" + txttime.Text + "','" + txtclock.Text + "','" + txtusername.Text + "','" + txtName_Arabic.Text + "','" + CBgender.Text + "')", con);

Your code is subject to SQL Injection.
Never build an SQL query by concatenating strings. Sooner or later, you will do it with user inputs, and this opens door to a vulnerability named "SQL injection", it is dangerous for your database and error prone.
A single quote in a name and your program crash. If a user input a name like "Brian O'Conner" can crash your app, it is an SQL injection vulnerability, and the crash is the least of the problems, a malicious user input and it is promoted to SQL commands with all credentials.
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
SQL Injection Prevention Cheat Sheet - OWASP[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]
 
Share this answer
 
Posted
Comments
MadMyche 24-Jan-19 7:14am    
5'd. And the poster has received this same information a few times now
Patrice T 24-Jan-19 7:16am    
Thank you.
As others have pointed out, your code is vulnerable to SQL Injection. But you already knew that! :)

I believe you just wanted an example of how to fix the vulnerability:
C#
using (SqlConnection con = new SqlConnection(myConnectionString))
{
    con.Open();
    
    // INSERT command:
    using (SqlCommand command = new SqlCommand("INSERT INTO [next] (id, time, clock, username, Name_Arabic, gender) VALUES (@id, @time, @clock, @username, @Name_Arabic, @gender)", con))
    {
        // TODO: Convert the text to an appropriate type, if necessary:
        command.Parameters.AddWithValue("@id", txtCIVILIDD.Text);
        command.Parameters.AddWithValue("@time", txttime.Text);
        command.Parameters.AddWithValue("@clock", txtclock.Text);
        command.Parameters.AddWithValue("@username", txtusername.Text);
        command.Parameters.AddWithValue("@Name_Arabic", txtName_Arabic.Text);
        command.Parameters.AddWithValue("@gender", CBgender.Text);
        
        command.ExecuteNonQuery();
    }
    
    // SELECT command:
    using (SqlCommand command = new SqlCommand("SELECT * FROM [next] WHERE id = @id", con))
    {
        // TODO: As above, convert the text to an appropriate type if necessary:
        command.Parameters.AddWithValue("@id", txtCIVILIDD.Text);
        
        SqlDataAdapter adapter = new SqlDataAdapter(command);
        DataSet data = new DataSet();
        adapter.Fill(data);
        
        // TODO: Do something with the loaded data here...
    }
}

NB: As pointed out in the comments, you may encounter problems if the text in your controls can't be converted to the appropriate types for the columns. If necessary, you will need to validate the text and/or convert it to an appropriate type before adding the parameters.

Some light reading for you:
Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^]
How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^]
Query Parameterization Cheat Sheet | OWASP[^]
 
Share this answer
 
Posted
Updated 24-Jan-19 2:12am
v2
Comments
CPallini 24-Jan-19 7:40am    
5.
MadMyche 24-Jan-19 7:47am    
+5There could be a problem if some of those fields are not text though
Richard Deeming 24-Jan-19 7:51am    
There could. But since we don't know the column types, there's not much we can do. :)
MadMyche 24-Jan-19 8:00am    
You are right of course, but when this gets copy/pasted in; the poster may read the comments and adjust accordingly. Or ask us to adjust it
The best way would be to use String.Format property or use a stored procedure to prevent SQL injection.
 
Share this answer
 
Posted
Comments
Richard MacCutchan 24-Jan-19 4:54am    
No, the proper way is to use parameterised queries, as explained by Pete above.
MadMyche 24-Jan-19 7:11am    
+1
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How to write this query for good performance ?
Is it a good idea to write WCF sevice?
Need good reference for Writing Filter Drivers
Looking for a way to read/write pbm image
How do I solve below problem write a C++ code for
is university good or not ?
Good evening everyone.
How to write a repository to get private information related to any type of product
Find and write the output of the following Python code
How to write "to" in vb.net

Advertise
Privacy
Cookies
Terms of Use
Last Updated 24 Jan 2019
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web03 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900