Click here to Skip to main content
14,392,692 members
   

C#

 
GeneralC # Pin
Member 1461982622-Oct-19 1:45
MemberMember 1461982622-Oct-19 1:45 
GeneralRe: C # Pin
OriginalGriff22-Oct-19 1:57
mveOriginalGriff22-Oct-19 1:57 
QuestionRe: C # Pin
ZurdoDev22-Oct-19 3:59
professionalZurdoDev22-Oct-19 3:59 
AnswerRe: C # Pin
OriginalGriff22-Oct-19 4:32
mveOriginalGriff22-Oct-19 4:32 
GeneralRe: C # Pin
ZurdoDev22-Oct-19 5:04
professionalZurdoDev22-Oct-19 5:04 
GeneralRe: C # Pin
Dave Kreskowiak22-Oct-19 7:07
mveDave Kreskowiak22-Oct-19 7:07 
GeneralRe: C # Pin
Luc Pattyn22-Oct-19 11:23
sitebuilderLuc Pattyn22-Oct-19 11:23 
GeneralRe: C # Pin
Richard Deeming23-Oct-19 2:25
communityengineerRichard Deeming23-Oct-19 2:25 
Luc Pattyn wrote:
// to avoid someone starting a lecture about SQLinjection:
question=question.Split(';')[0];
string query="SELECT answer FROM AnswersToAllQuestions "+
    " WHERE question LIKE '%"+question+"%'";
No no no no no no no! D'Oh! | :doh:

There are plenty of ways to exploit that code without having to insert a semi-colon into the string.

Given how simple it is to do the right thing in .NET, it amazes me what lengths people will go to to do it wrong.
using (MySqlConnection dbCon=new MySqlConnection(connectionString)) {
    dbCon.Open();
    
    const string query = "SELECT answer FROM AnswersToAllQuestions WHERE question LIKE '%' + @question + '%'";
    
    using (MySqlCommand dbCmd = new MySqlCommand(query, dbCon)) {
        // Do the right thing, Luc!
        dbCmd.Parameters.AddWithValue("@question", question);
        
        using (MySqlDataReader reader = dbCmd.ExecuteReader()) {
            while (reader.Read()) {
                string answer = (string)reader["answer"];
                answers.Add(answer);
            }
        }
    }
}




"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer

GeneralRe: C # Pin
Luc Pattyn23-Oct-19 3:56
sitebuilderLuc Pattyn23-Oct-19 3:56 
QuestionLDAP query to ActiveDirectory being whimsical (search by custom attribute broken) Pin
Super Lloyd21-Oct-19 22:30
MemberSuper Lloyd21-Oct-19 22:30 
SuggestionRe: LDAP query to ActiveDirectory being whimsical (search by custom attribute broken) Pin
Richard MacCutchan21-Oct-19 23:41
mveRichard MacCutchan21-Oct-19 23:41 
GeneralRe: LDAP query to ActiveDirectory being whimsical (search by custom attribute broken) Pin
Super Lloyd22-Oct-19 2:07
MemberSuper Lloyd22-Oct-19 2:07 
GeneralRe: LDAP query to ActiveDirectory being whimsical (search by custom attribute broken) Pin
Richard MacCutchan22-Oct-19 2:31
mveRichard MacCutchan22-Oct-19 2:31 
Questiona WinForm ToolStripMenuItem quirk ? Pin
BillWoodruff21-Oct-19 5:26
mveBillWoodruff21-Oct-19 5:26 
AnswerRe: a WinForm ToolStripMenuItem quirk ? Pin
Luc Pattyn21-Oct-19 10:14
sitebuilderLuc Pattyn21-Oct-19 10:14 
AnswerRe: a WinForm ToolStripMenuItem quirk ? Pin
Richard Deeming22-Oct-19 1:41
communityengineerRichard Deeming22-Oct-19 1:41 
GeneralRe: a WinForm ToolStripMenuItem quirk ? Pin
BillWoodruff22-Oct-19 1:48
mveBillWoodruff22-Oct-19 1:48 
GeneralRe: a WinForm ToolStripMenuItem quirk ? Pin
Richard Deeming22-Oct-19 2:07
communityengineerRichard Deeming22-Oct-19 2:07 
GeneralRe: a WinForm ToolStripMenuItem quirk ? Pin
BillWoodruff22-Oct-19 20:04
mveBillWoodruff22-Oct-19 20:04 
Question'Access to the path 'F:\System Volume Information' is denied.' Pin
Member 1405587919-Oct-19 9:45
MemberMember 1405587919-Oct-19 9:45 
AnswerRe: 'Access to the path 'F:\System Volume Information' is denied.' Pin
Eddy Vluggen19-Oct-19 12:11
mveEddy Vluggen19-Oct-19 12:11 
GeneralRe: 'Access to the path 'F:\System Volume Information' is denied.' Pin
Member 1405587920-Oct-19 3:43
MemberMember 1405587920-Oct-19 3:43 
GeneralRe: 'Access to the path 'F:\System Volume Information' is denied.' Pin
Eddy Vluggen20-Oct-19 5:53
mveEddy Vluggen20-Oct-19 5:53 
GeneralRe: 'Access to the path 'F:\System Volume Information' is denied.' Pin
Dave Kreskowiak20-Oct-19 5:59
mveDave Kreskowiak20-Oct-19 5:59 
Questionis any threat (as in sql injection) possible in building a 'RowFilter for a 'DataView Pin
BillWoodruff18-Oct-19 3:05
mveBillWoodruff18-Oct-19 3:05 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.