User Input - SQL Paramaters
Dec 18, 2007
Hi,
Just wondering if I could make sure that "hackers" don't tamper with my querystring - which is a parameter for a SQL query.
i.e...
Dim ListOfValues as string = request.querystring("listOfValues")
'Output would be this: 324234,5445,554654,45632,
SQL command :
Delete From table where product_id IN (@ListOfValues)
cmd.paramaters.addwithvalue("@ListOfValues", ListOfValues )
How can I validate it so that hackers can't add any characters other than 'numbers' and ' , ' to the sql parameter?
I have tried to tryparse the 'ListOfValues ' as an integer - by replacing "," with "" but an integer overflow occured. Any questions or ideas? Thanks
View 6 Replies
ADVERTISEMENT
Aug 14, 2002
Hi all,
Can anyone tell me about how to prompt a user to type when running a sql statement through query analyzer.
thanks
Jay
View 1 Replies
View Related
Apr 23, 2008
I have created a query that has a "When" and an "And" function.
I know need to make the query run on user input, i want it to ask for the date, then name to run the query
View 2 Replies
View Related
Nov 1, 2006
Afternoon...
I have a database for a pretend dvd hire company and need to create a query that uses user input as part of the query.
Ie, select * from dvd where actor = 'Tom Cruise';
The 'Tom Cruise' part of the query needs to be user input every time the query is ran... Can you help?
Many thanks in advance!?
View 14 Replies
View Related
May 14, 2007
Is it possible to allow user input via a Reporting Services Report? What I mean is could a report be created that would allow someone using the report to enter a number that would be written to the SQL database?
View 1 Replies
View Related
Nov 24, 2004
Hi,
I am new to ASP.NET so pordon me if my questions seems to be stupid.
I was given an assign to develop a ASP that would return results from a SQL server.
The problem is that part of my query to the SQL server comes from the webform
select a.invnum, a.invdate, a.duedate, a.invamt,a.payamt from vpshead a inner join vendors
b on (a.vendnum = b.vendnum) where (a.vendnum = " & user.text & " ) and (b.vendpass = "
& Pass.text & " ) and (a.payflag <> 'V') and ( (a.invamt <> 0) or (a.payamt <> 0) )and (a.chkno = '') order by a.invdate"
As your can tell I am using the user.text and Pass.text in my query which will come from the web form.
I know this is wrong but how else can I do it?
Thanks
View 3 Replies
View Related
Feb 19, 2005
To: All,
well here's a problem that I encountered, i got a textbox that is used to store the Date of Birth of a user. So when user keys in something, it is store as a string. However i wish to convert it into a datetime so that i can store it into my database. Anybody know of a way to help? i've tried countless methods but doesn't seem to work. Please give me a hand guys.... Thanks
From: iaciz
View 2 Replies
View Related
Aug 20, 2005
Hi there
I want to give dynamic input to the t-sql code in sql analyzer.how do i do that....
Like adding 2 numbers
declare @a integer,@b integer,@c integer
--I dont want to give like this
--set @a = 5
--set @b = 10
set @c = @a + @b
can anyone help me with this
regards
Vic
Vicky
View 3 Replies
View Related
May 24, 2007
Hi,
I am trying to make a simple stored procedure which I want to take input on every run from end user:
SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
declare @sku varchar(20)
insert into skua (sku,SumOfQtyNum)
(select sku,sumofqtynum from sku where @sku = sku.sku)
it is working but not asking parameter values
(I want to use passthrough query after that in Access)
thanks
AA
View 2 Replies
View Related
Jul 23, 2005
Hello. I'm using SQL query analyzer to run some queries against anSQL2000 DB. Unfortunately, my previous SQL experience is some OralceSQL I took in school.To put it simply, I'm trying to write a query to pull records thatmatch a variable input. In Oracle, I'd use a substitution variablelike this...SELECT * FROM jobs WHERE jobid = &job_id_to_query;Is this possible under SQL2000? Is this only a feature of SQL*Plus?TIARich
View 8 Replies
View Related
Nov 30, 2006
I m new to SQL Server. Before this I was using access. In access one can have user inputs easily .. for example
where receivedate=[enter date]
how I can get userinputs in SQL server Query....
Forgive me if it is a dumb question
View 6 Replies
View Related
Feb 14, 2007
I want to pull dates from my database that are between to set dates i have written a query that does this which looks like this:
"SELECT OCH_ID, empno, Selected_OCD, Start_Time, End_Time, Selected_OCDay, Selected_DOM, Selected_Month, Selected_Year FROM dbo.ICT_On_Call_Hours WHERE (CONVERT (datetime, LEFT (Selected_OCD, 2) + '/' + SUBSTRING(Selected_OCD, 4, 2) + '/' + RIGHT (Selected_OCD, 4)) >= CONVERT (datetime, LEFT ('12/02/2007', 2) + '/' + SUBSTRING('12/02/2007', 4, 2) + '/' + RIGHT ('12/02/2007', 4))) AND (CONVERT (datetime, LEFT (Selected_OCD, 2) + '/' + SUBSTRING(Selected_OCD, 4, 2) + '/' + RIGHT (Selected_OCD, 4)) < CONVERT (datetime, LEFT ('14/02/2007', 2) + '/' + SUBSTRING('14/02/2007', 4, 2) + '/' + RIGHT ('14/02/2007', 4)))"
This works when the dates are included in the statement but when i try and use parameters to pull them in like this:
"SELECT OCH_ID, empno, Selected_OCD, Start_Time, End_Time, Selected_OCDay, Selected_DOM, Selected_Month, Selected_Year FROM dbo.ICT_On_Call_Hours WHERE (CONVERT (datetime, LEFT (Selected_OCD, 2) + '/' + SUBSTRING(Selected_OCD, 4, 2) + '/' + RIGHT (Selected_OCD, 4)) >= CONVERT (datetime, LEFT ('@Choice1', 2) + '/' + SUBSTRING('@Choice1', 4, 2) + '/' + RIGHT ('@Choice1', 4))) AND (CONVERT (datetime, LEFT (Selected_OCD, 2) + '/' + SUBSTRING(Selected_OCD, 4, 2) + '/' + RIGHT (Selected_OCD, 4)) < CONVERT (datetime, LEFT ('@Choice2', 2) + '/' + SUBSTRING('@Choice2', 4, 2) + '/' + RIGHT ('@Choice2', 4)))"
I then recieve the following error message why is this?
ERROR -------------------> Syntax error converting datetime from character string.
Any Help would be greatly appreciated thanks
View 2 Replies
View Related
Jul 25, 2007
I have a search page that allows users to type/select values contined within the entry they're looking for. My SELECT statement returns columns in a table that get compared to the user input. So if someone selected Status (Open) then all of the 'Open' Request entries should populate the search page. How do I phrase the SELECT statement to compare values if the user gives them, but ignore the fields where no data was input when it's searching? So a search where no values were entered would return every Request Entry instead of an error; no entry.
Thanks!
View 2 Replies
View Related
Jul 15, 2004
Hi folks, i am lookin for an option in the QA to take user input while executing a query. just like we do in SQLPLUS:
SELECT * FROM dept WHERE deptno=$abc
here it would ask me for the deptno. I guess it's a very handy feature and we could test our variables and calculations withing the procedures etc.
Is there a way, or any substitute?
Howdy!
View 14 Replies
View Related
May 3, 2008
I need to convert user's input to SQL statement.
How to code to chage user's input:123, 234 to '123','234'
View 4 Replies
View Related
Jun 2, 2008
Hi I have a table(tblA) as follows
Col1--------------col2---------col3-----col4
London------------1131---------299------Barking
Didicot-----------3451---------429------Dansdon
Barking/ASton-----1131---------345------Singleton
Vander/ADon/cam---3907---------299------derby
Null or Blank ---1131---------423------Addington
Expecting the Data should display look like below
London------------1131---------299------Barking
Didicot-----------3451---------429------Dansdon
Barking/ASton-----1131---------345------Singleton
Vander/ADon/cam---3907---------299------derby
But when user change the col2 value (1131) to 113999, this should be changed to all values where col2 is 1131. Please Help
View 2 Replies
View Related
Nov 20, 2014
I dont know how to get the newest input for each user from one single table.
Should be a very simple task but i cant work it out.
The table looks like this:
ID (A_I), userID, ip, date(timestamp)
Here is a SQL Fiddle Link with some data also: [URL] ....
I have tried a lot querys like this one:
SELECT userID, ip FROM userips GROUP BY userID ORDER BY ID DESC
But this one does not give me the latest ip which was entered by a user.
View 2 Replies
View Related
Jan 11, 2006
I would like to setup a query where the user is firstly prompted to input the information e.g. if they are trying to locate a particular person from a telephone database they would be prompted to enter the surname for that person.
View 4 Replies
View Related
Nov 30, 2007
Hello,
I'm trying to do something simple that has turned out to be a frustrating problem. I have a field in my report that needs to be populated by user input. Based on this user input, I will use the field in a calculation. The simple solution to me, was to create a custom assembly that has a function that uses Console.Write("Input Data") and Console.readline() to assign the input to a string, and then return that string to the report. This works fine in a test console application, but when I copy and paste the code to my custom assembly, it returns #Error to the report. I've debugged, and found that when I hit F10 on Console.Write("test"); it skips right over it, and nothing happens. It also skips over Console.readline(); with nothing happening. This makes me unable to take the user input and set the textbox equal to that value.
Am I doing this completely wrong? Is there something I'm missing, or just not understanding correcly? It seems like reporting services has to have this option. I'd really appreciate some advice. Thanks!
-Paul
View 3 Replies
View Related
May 20, 2008
Hello Everybody,
I am sure this has been asked a thousand times before in a thousand different ways, but here goes...
I am in need of the ability to prompt users for a From Date and To Date to insert into a WHERE clause in SQL queries. What is the easiest least painful way of accomplishing this? A great many of our customers utilized SQL Server Express or MSDE, so they do not have the full gambit of SQL tools handy. Believe me when I say that I have searched high and low across the internet for this solution. I was hoping I might be able to accomplish this through VB Script or J Script. Or, anything reasonable.
Thanks in advance for your time and patience,
Rocky Mountain Tech
View 1 Replies
View Related
Aug 14, 2006
I'm having trouble using paramaters in a full-text search with FormsOf(INFLECTIONAL:DECLARE @SearchWord nvarchar(4000)
SET @SearchWord = 'tax'
SELECT listing_id, RANK, name, address, city, zip, heading, phone
FROM listings a,
FREETEXTTABLE(listings, *, 'FormsOf(INFLECTIONAL, @SearchWord')
WHERE [KEY] = a.listing_id
ORDER BY RANK DESC, name
This returns no results. It treats the paramater as a NULL value. But this...
SELECT listing_id, RANK, name, address, city, zip, heading, phone
FROM listings a,
FREETEXTTABLE(listings, *, 'FormsOf(INFLECTIONAL, tax')
WHERE [KEY] = a.listing_id
ORDER BY RANK DESC, name
returns over 500 results. I've been banging my head against this for 2+hours. Google has been no help as every example shows the result hard-coded in like the second example.PLEASE HELP!!!!!!
????????
View 4 Replies
View Related
May 10, 2007
I need to setup some asp security databases and I have seen several sets of instructions. Some say "Navigate to C:WINDOWSMicrosoft.NETFrameworkv2.0.50727" and some say at the "asp command box". I do know that the directory & file exists on my machine. I have run aspnet_regsql.exe to configure my local server. I now need to run it to configure my web host SQL Server 2005 and that requires some paramaters like "aspnet_regsql.exe -S [DB Server Name] -U [DB login] -P [Password] -A all -d [Database name]". I am old and started before windows. I know DOS. But obviously not well enough.
How do you "Navigate to C:WINDOWSMicrosoft.NETFrameworkv2.0.50727"?
If I say "CDWINDOWS", it works.
When I am at the "C:WINDOWS>" prompt and say "CD Microsoft.NET" it says "invalid directory"
When I am at the "C:>" prompt and say "CDWINDOWSMicrosoft.NET" it says "invalid directory"
When I am at the "C:>" prompt and say "CDWINDOWSMicros~1" it says "invalid directory"
Thanks for your help. John Brown
View 1 Replies
View Related
Jan 17, 2007
I'm writing a search query in TSQL for MS SQL. Here is my code:
SELECT a.*, b.username, c.categoryname FROM
video a
inner join
user b
on
a.userid = b.userid
inner join
video_category c
on
a.categoryId = c.categoryid
where
a.videotitle like '%@SearchText%'
OR
a.description like '%@SearchText%'
This returns no results, but wheN I replace the '%@SearchText%' with my search text inplace of the @SearchText it returns retuls. I have a feelign I am passing the params to the LIKE clause incorrectly. Any suggestions?
Thanks,
-- shawn
View 5 Replies
View Related
May 24, 2006
Hi,
Does anyone know how i go about writing a search query using paramaters, ive been using this as my template:
Select Distinct Recipedata.Name, Ingredients.Ingredient, Directions.Directions
from Recipedata,Ingredients,Directions
Where Ingredients.Ingredient Like '%Chicken%' and
RecipeData.RecipeID = Ingredients.RecipeID and Ingredients.RecipeID = Directions.RecipeID;
Problem is now that i want to use paramters instead of hard coded values as this is for a user. How do i go about this? This database has a VB2k5 front end for the desktop and PDA(and no the target PDA is not web enabled so web servcies arent available to me).
Thanks Much
View 6 Replies
View Related
Oct 17, 2007
Let's say I have a table with 3 fields: an ID field (primary key, set as an id field, etc.), a Name field (nvarchar50), and an Age field (int). I have a form that has three elements:
DropDownList1: This drop down list contains 3 choices- "=", ">", and "<".
Age: This text box is where someone would enter a number.
Button1: This is the form's submit button.
I want someone to be able to search the database for entries where the Age is either equal to ("="), greater than (">"), or less than ("<") whatever number they enter into TextBox1.
The code-behind is shown below. The part I'm confused about is that if I load this page, the query works the -first- time. Then, if I try to change the parameters in the form and submit it, I get the following error:
"The variable name '@Age' has already been declared. Variable names must be unique within a query batch or stored procedure."
Any help would be appreciated.
Here is what I'm using in my code behind:
protected void Button1_Click(object sender, EventArgs e) { System.Text.StringBuilder sb = new System.Text.StringBuilder(); sb.Append("SELECT * FROM People WHERE Age "); switch (DropDownList1.SelectedValue) { case "=": sb.Append("= "); break; case ">": sb.Append("> "); break; case "<": sb.Append("< "); break; } sb.Append("@Age"); SqlDataSource1.SelectCommand = sb.ToString(); SqlDataSource1.SelectParameters.Add("Age", TypeCode.Int32, Age.Text); }
View 7 Replies
View Related
Jun 16, 2004
I know this is an easy one and I know I've read it somewhere, but I can't seem to write the correct format to run correctly. I am trying to build a SELECT statement base on the selected values of a dropdown list on a webform. The selected values will be part of the Table name.. ("client_info" & location_option.selecteditem.value) Can someone show me the correct syntax for adding a form variable into a SELECT statement? Thanks
View 1 Replies
View Related
Oct 25, 2004
I'm running asp.net on an XP machine with MSDE 2000 as the database. I want to create a user table with a userid and password. I have a second table that contains details about the user such as home address and phone number etc. When the user first signs up, I want their userid to go into the user table and the user detail table. In my SQL insert command, I can't get @userId to go into both tables. So my question is how do I get the userID to go into both tables or is there a better way of doing this altogether?
Thanks,
Tom
View 1 Replies
View Related
Jan 25, 2006
I have a problem selecting fields from a table where fields are equal to user input from a listbox. example
listbox of zip codes:
33023[red]22300[/red]39844[red]29339[/red]23883[red]38228[/red]
user wants to retreive highlight zip codes from database.connection working perfect.Thank you for your help.
View 2 Replies
View Related
Jul 15, 2014
I have a table has following fields(Process, datestart,dateend,datedue,,,,)
Process datestart dateend ...
A 14.07.2017 20.07.2014
B 15.07.2014 21.07.2014
C 24.07.2014 30.07.2014
What i want when user enters from date and end date. i want to filter records which are fallen between those two input dates.
if user enters 17.07.2014 and 20.07.2014 as input range. query should show only A and B process as
A 14.07.2017 20.07.2014
B 15.07.2014 21.07.2014
View 3 Replies
View Related
May 28, 2007
hi ,
i am new to this.
how should i update the user input values into sql server database?
i am using asp.net and c#
FIELDS are-
userId,
name,
description,
startTime,
endTime,
audiencePassword,
presenterPassword
i know it must be simple...but i haven't worked on this before.
Jaimin
View 3 Replies
View Related
Mar 4, 2008
how can i make a customized error message for a wrong input of parameters?
let's say i have a parameter which requires user input of companyID and it should compose of all numbers only. if not followed an error message will be prompted to the user... "please enter numbers only..." or something like that...
please... just wondering if its possible...
View 2 Replies
View Related
Mar 18, 2008
Is it possible to display multivalue user input parameters within the report, so the user can see what he just entered in the parameters? I only can get the first or the second value within a textbox: (parameters!year.value(0) / parameters!year.value(1))
The desired output i want to achive is that the multiple selections are displayed within one text box:
Example:
Parameter Year: 2006,2007,2008
Any suggestions?
View 7 Replies
View Related
Dec 21, 2007
I want to do some error checking on the parameters found in a SQLDataSource before I run the insert. The problem is these are ControlParameters and I want to do this dynamically so I can't just call the Control.Text property and grab its value. So how can I get access to what the ControlParameter evaluates to?
Secondly, is there a way to access what the update parameters evaluate to in order to check them before they're inserted - if so how do I get access to these?
Here's an example of one of the data sources i'm using:<asp:SqlDataSource ID="sqlContact" runat="server" ConnectionString="<%$ ConnectionStrings:strConn %>"
SelectCommand="SELECT [ContactID], [FirstName], [LastName], , [Address], [Phone], [Grade], [Contacted], [ListServe] FROM [Contact]"
UpdateCommand="UPDATE Contact SET FirstName = @FirstName, LastName = @LastName, Email = @Email, Address = @Address, Phone = @Phone, Grade = @Grade WHERE ContactID = @ContactID"
DeleteCommand="DELETE FROM [Contact] WHERE ContactID = @ContactID"
InsertCommand="INSERT INTO [Contact] ([FirstName],[LastName],,[Address],[Phone],[Grade],[Contacted],[ListServe]) VALUES (@FirstName,@LastName,@Email,@Address,@Phone,@Grade,0,0)">
<UpdateParameters>
<asp:Parameter Name="FirstName" Type="String" />
<asp:Parameter Name="LastName" Type="String" />
<asp:Parameter Name="Email" Type="String" />
<asp:Parameter Name="Address" Type="String" />
<asp:Parameter Name="Phone" Type="String" />
<asp:Parameter Name="Grade" Type="String" />
</UpdateParameters>
<InsertParameters>
<asp:ControlParameter Name="FirstName" Type="String" ControlID="txtContactFirst" PropertyName="Text" />
<asp:ControlParameter Name="LastName" Type="String" ControlID="txtContactLast" PropertyName="Text" />
<asp:ControlParameter Name="Email" Type="String" ControlID="txtContactEmail" PropertyName="Text" />
<asp:ControlParameter Name="Address" Type="String" ControlID="txtContactAddress" PropertyName="Text" />
<asp:ControlParameter Name="Phone" Type="String" ControlID="txtContactPhone" PropertyName="Text" />
<asp:ControlParameter Name="Grade" Type="String" ControlID="ddlContactGrade" PropertyName="SelectedValue" />
</InsertParameters>
</asp:SqlDataSource>
An Event is fired when I click add on a button which looks similar to this:
//Add btnAddContact_Clickprotected void btnAddContact_Click(object sender, EventArgs e)
{
InsertRow(sqlContact);
}The InsertRow() function is then what i'm using to evaluate the values... So how can get the values those controlparameters actually are in order to evaluate them before I actually insert. Or is there a better way to do it?
View 4 Replies
View Related