Fetch The Value From DataBase Through Text Box

Question

1.00/5 (1 vote)

See more:

HI

What i am Expecting is that In My text Box if i write Any Sql Query As select or anything and I will perform one button event it should Give me the Output on another label or text box .
So on total
1.text box:Where i write My query
2:Will have same functionality as like execute
3:Text Box Where My executed query Output will be displayed

Posted 18-Jun-12 9:46am

RAKESH CHAUBEY

Add a Solution

2 solutions

Solution 1

My text Box if i write Any Sql Query As select or anything and I will perform one button event it should Give me the Output
I would strongly not suggest this implementation. This is like willingly asking for SQL Injection.
Refer:
MSDN: SQL Injection[^]
SQL Injection Mitigation: Using Parameterized Queries[^]

For database operations, you should use parametrized queries or SP's via ADO.NET.
Refer:
Look here for parameterized query and it's usage:
MSDN: Configuring Parameters and Parameter Data Types (ADO.NET)[^]
MSDN: DataAdapter Parameters (ADO.NET)[^]
MSDN: SqlCommand.Parameters Property [^]

Posted 18-Jun-12 9:52am

Sandeep Mewara

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Tim Corey · Accepted Answer · 2012-06-18T09:56:00

OK, you can do this but I'm going to want you to read to the end before you do. First, how to do it: I wrote an article a while ago that dealt with how to write T-SQL. I wrote a simple application that took the SQL text you put into the box and it ran it against the database. You can get the source for the application, as well as see a working example here:

SQL for Developers: Basic Data Retrieval[^]

Note that this isn't what the article is about, but there is a working example of what you want to do. The code will be basically the same for ASP.NET (right now it is just a WinForms app). That will get you through the "how" of doing this. Now for a short speech:

I would HIGHLY recommend against doing this. This is a bad idea. If your users can run SQL statements, then they can do things like dropping the table or reading other information that you weren't expecting them to do or executing scripts against the database. Please, please, please don't do this. Figure out a better way to accomplish what you want to do. If you do this, I can almost guarantee you will regret it down the road. Even if you lock down the user account it is running under and only give access to certain employees to run this, at some point someone will make a mistake and someone else will exploit it (intentionally or unintentionally).