Is it possible to allow user input via a Reporting Services Report? What I mean is could a report be created that would allow someone using the report to enter a number that would be written to the SQL database?
Hi, Just wondering if I could make sure that "hackers" don't tamper with my querystring - which is a parameter for a SQL query. i.e... Dim ListOfValues as string = request.querystring("listOfValues")
'Output would be this: 324234,5445,554654,45632,SQL command : Delete From table where product_id IN (@ListOfValues)
How can I validate it so that hackers can't add any characters other than 'numbers' and ' , ' to the sql parameter? I have tried to tryparse the 'ListOfValues ' as an integer - by replacing "," with "" but an integer overflow occured. Any questions or ideas? Thanks
I am new to ASP.NET so pordon me if my questions seems to be stupid.
I was given an assign to develop a ASP that would return results from a SQL server.
The problem is that part of my query to the SQL server comes from the webform
select a.invnum, a.invdate, a.duedate, a.invamt,a.payamt from vpshead a inner join vendors b on (a.vendnum = b.vendnum) where (a.vendnum = " & user.text & " ) and (b.vendpass = " & Pass.text & " ) and (a.payflag <> 'V') and ( (a.invamt <> 0) or (a.payamt <> 0) )and (a.chkno = '') order by a.invdate"
As your can tell I am using the user.text and Pass.text in my query which will come from the web form.
well here's a problem that I encountered, i got a textbox that is used to store the Date of Birth of a user. So when user keys in something, it is store as a string. However i wish to convert it into a datetime so that i can store it into my database. Anybody know of a way to help? i've tried countless methods but doesn't seem to work. Please give me a hand guys.... Thanks
Hello. I'm using SQL query analyzer to run some queries against anSQL2000 DB. Unfortunately, my previous SQL experience is some OralceSQL I took in school.To put it simply, I'm trying to write a query to pull records thatmatch a variable input. In Oracle, I'd use a substitution variablelike this...SELECT * FROM jobs WHERE jobid = &job_id_to_query;Is this possible under SQL2000? Is this only a feature of SQL*Plus?TIARich
I want to pull dates from my database that are between to set dates i have written a query that does this which looks like this: "SELECT OCH_ID, empno, Selected_OCD, Start_Time, End_Time, Selected_OCDay, Selected_DOM, Selected_Month, Selected_Year FROM dbo.ICT_On_Call_Hours WHERE (CONVERT (datetime, LEFT (Selected_OCD, 2) + '/' + SUBSTRING(Selected_OCD, 4, 2) + '/' + RIGHT (Selected_OCD, 4)) >= CONVERT (datetime, LEFT ('12/02/2007', 2) + '/' + SUBSTRING('12/02/2007', 4, 2) + '/' + RIGHT ('12/02/2007', 4))) AND (CONVERT (datetime, LEFT (Selected_OCD, 2) + '/' + SUBSTRING(Selected_OCD, 4, 2) + '/' + RIGHT (Selected_OCD, 4)) < CONVERT (datetime, LEFT ('14/02/2007', 2) + '/' + SUBSTRING('14/02/2007', 4, 2) + '/' + RIGHT ('14/02/2007', 4)))" This works when the dates are included in the statement but when i try and use parameters to pull them in like this: "SELECT OCH_ID, empno, Selected_OCD, Start_Time, End_Time, Selected_OCDay, Selected_DOM, Selected_Month, Selected_Year FROM dbo.ICT_On_Call_Hours WHERE (CONVERT (datetime, LEFT (Selected_OCD, 2) + '/' + SUBSTRING(Selected_OCD, 4, 2) + '/' + RIGHT (Selected_OCD, 4)) >= CONVERT (datetime, LEFT ('@Choice1', 2) + '/' + SUBSTRING('@Choice1', 4, 2) + '/' + RIGHT ('@Choice1', 4))) AND (CONVERT (datetime, LEFT (Selected_OCD, 2) + '/' + SUBSTRING(Selected_OCD, 4, 2) + '/' + RIGHT (Selected_OCD, 4)) < CONVERT (datetime, LEFT ('@Choice2', 2) + '/' + SUBSTRING('@Choice2', 4, 2) + '/' + RIGHT ('@Choice2', 4)))" I then recieve the following error message why is this? ERROR -------------------> Syntax error converting datetime from character string. Any Help would be greatly appreciated thanks
I have a search page that allows users to type/select values contined within the entry they're looking for. My SELECT statement returns columns in a table that get compared to the user input. So if someone selected Status (Open) then all of the 'Open' Request entries should populate the search page. How do I phrase the SELECT statement to compare values if the user gives them, but ignore the fields where no data was input when it's searching? So a search where no values were entered would return every Request Entry instead of an error; no entry. Thanks!
Hi folks, i am lookin for an option in the QA to take user input while executing a query. just like we do in SQLPLUS: SELECT * FROM dept WHERE deptno=$abc here it would ask me for the deptno. I guess it's a very handy feature and we could test our variables and calculations withing the procedures etc.
I would like to setup a query where the user is firstly prompted to input the information e.g. if they are trying to locate a particular person from a telephone database they would be prompted to enter the surname for that person.
I'm trying to do something simple that has turned out to be a frustrating problem. I have a field in my report that needs to be populated by user input. Based on this user input, I will use the field in a calculation. The simple solution to me, was to create a custom assembly that has a function that uses Console.Write("Input Data") and Console.readline() to assign the input to a string, and then return that string to the report. This works fine in a test console application, but when I copy and paste the code to my custom assembly, it returns #Error to the report. I've debugged, and found that when I hit F10 on Console.Write("test"); it skips right over it, and nothing happens. It also skips over Console.readline(); with nothing happening. This makes me unable to take the user input and set the textbox equal to that value.
Am I doing this completely wrong? Is there something I'm missing, or just not understanding correcly? It seems like reporting services has to have this option. I'd really appreciate some advice. Thanks!
I am sure this has been asked a thousand times before in a thousand different ways, but here goes...
I am in need of the ability to prompt users for a From Date and To Date to insert into a WHERE clause in SQL queries. What is the easiest least painful way of accomplishing this? A great many of our customers utilized SQL Server Express or MSDE, so they do not have the full gambit of SQL tools handy. Believe me when I say that I have searched high and low across the internet for this solution. I was hoping I might be able to accomplish this through VB Script or J Script. Or, anything reasonable.
Let's say I have a table with 3 fields: an ID field (primary key, set as an id field, etc.), a Name field (nvarchar50), and an Age field (int). I have a form that has three elements: DropDownList1: This drop down list contains 3 choices- "=", ">", and "<". Age: This text box is where someone would enter a number. Button1: This is the form's submit button. I want someone to be able to search the database for entries where the Age is either equal to ("="), greater than (">"), or less than ("<") whatever number they enter into TextBox1. The code-behind is shown below. The part I'm confused about is that if I load this page, the query works the -first- time. Then, if I try to change the parameters in the form and submit it, I get the following error: "The variable name '@Age' has already been declared. Variable names must be unique within a query batch or stored procedure." Any help would be appreciated. Here is what I'm using in my code behind: protected void Button1_Click(object sender, EventArgs e) { System.Text.StringBuilder sb = new System.Text.StringBuilder(); sb.Append("SELECT * FROM People WHERE Age "); switch (DropDownList1.SelectedValue) { case "=": sb.Append("= "); break; case ">": sb.Append("> "); break; case "<": sb.Append("< "); break; } sb.Append("@Age"); SqlDataSource1.SelectCommand = sb.ToString(); SqlDataSource1.SelectParameters.Add("Age", TypeCode.Int32, Age.Text); }
I know this is an easy one and I know I've read it somewhere, but I can't seem to write the correct format to run correctly. I am trying to build a SELECT statement base on the selected values of a dropdown list on a webform. The selected values will be part of the Table name.. ("client_info" & location_option.selecteditem.value) Can someone show me the correct syntax for adding a form variable into a SELECT statement? Thanks
I'm running asp.net on an XP machine with MSDE 2000 as the database. I want to create a user table with a userid and password. I have a second table that contains details about the user such as home address and phone number etc. When the user first signs up, I want their userid to go into the user table and the user detail table. In my SQL insert command, I can't get @userId to go into both tables. So my question is how do I get the userID to go into both tables or is there a better way of doing this altogether?
I have a problem selecting fields from a table where fields are equal to user input from a listbox. example listbox of zip codes: 33023[red]22300[/red]39844[red]29339[/red]23883[red]38228[/red] user wants to retreive highlight zip codes from database.connection working perfect.Thank you for your help.
hi , i am new to this. how should i update the user input values into sql server database? i am using asp.net and c# FIELDS are- userId, name, description, startTime, endTime, audiencePassword, presenterPassword
i know it must be simple...but i haven't worked on this before.
how can i make a customized error message for a wrong input of parameters?
let's say i have a parameter which requires user input of companyID and it should compose of all numbers only. if not followed an error message will be prompted to the user... "please enter numbers only..." or something like that...
Is it possible to display multivalue user input parameters within the report, so the user can see what he just entered in the parameters? I only can get the first or the second value within a textbox: (parameters!year.value(0) / parameters!year.value(1))
The desired output i want to achive is that the multiple selections are displayed within one text box:
In Access, I use [Enter Date] in the Criteria field of the Query. I tried the same thing in SQL Server in the Criteria field of the View and it does not recognize this. Is there a comparable command in SQL to get user input into the Criteria field of a view?
HiThe scenario:The price of products are determined by size.I have a Prices table that contains 3 columnsWidth Length and Price.User inputs their own width and length values as inWidth and inLength.It is unlikely that these values will exactly match existing lengths and widths in the price table.I need to take these User Input values and round them up to the nearest values found in the Prices table to pull the correct price.What is the most efficient way of achieving this?Thanks for your time.C# novice!
To allow users enter chinese character into table, I did try to change the field type to nchar and this is workable. But I have few hundred tables.. Is there anyway to change the setting in easier way? by instead change the field type one by one for each table?
I tried change the collation to Chinese_PRC_90_BIN for the database, but it is not support chinese input..
I'm using Cube.My DimDate tables Datekey is integer .But client wants a calendar to set date as you see in picture .how can I change calendar value which will be input by user.