Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>First off, concatenating a sql statement based on input that the user can change, especially when stored as a string is how SQL Injection Vulnerabilities are created. Don't be that guy.</p> <p>as for tokenalizing your query string, use named parameters. assume this is your query string</p> <pre><code>?orderid=777&amp;phone=777-777-7777 Response.QueryString["orderid"] </code></pre> <p>would return '777' and </p> <pre><code>Response.QueryString["phone"] </code></pre> <p>woudl return '777-777-7777'</p> <p>as for your sql injection issue, you have a couple options. one is a parameterized sql statement, see the C# example here: <a href="http://rosettacode.org/wiki/Parametrized_SQL_statement" rel="nofollow">http://rosettacode.org/wiki/Parametrized_SQL_statement</a> or use a stored procedure with parameters. the least desirable but minimally acceptable option is to regex validate your input parameters strictly, especially killing characters like '=;% -- and a few others.</p> <p>EDIT: now that I've had some time to work up a sample, check this out. This sample needs to be customized to your database, but its working on my mysql DB with a test table. you will need to install the <a href="http://dev.mysql.com/downloads/connector/net/" rel="nofollow">MySQLConnector</a> pack and add a project reference to 'MySql.Data' before the code will compile correctly.</p> <pre><code>namespace WebApplication2 { public partial class _Default : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { //define some regex patterns for validating our data. const string PHONEREGEX = @"((\(\d{3}\))|(\d{3}-))\d{3}-\d{4}"; const string ORDERNUMREGEX = @"\d*"; bool isValid = true; string phone = Request.QueryString["phone"]; //read phone from querystring. //validate that arg was provided, and matches our regular expression. this means it contains only numbers and single hyphens if(!string.IsNullOrWhiteSpace(phone) &amp;&amp; System.Text.RegularExpressions.Regex.IsMatch(phone, PHONEREGEX)){ Response.Write(HttpUtility.HtmlEncode(string.Format("The phone number is {0}", phone))); //HTML Encode the value before output, to prevent any toxic markup. } else { Response.Write("Phone number not provided."); isValid = false; } string orderStr = Request.QueryString["order"]; //read ordernum from querystring long order = long.MinValue; //validate that order was provided and matches the regex meaning it is only numbers. then it parses the value into 'long order'. if(!string.IsNullOrWhiteSpace(orderStr) &amp;&amp; System.Text.RegularExpressions.Regex.IsMatch(orderStr, ORDERNUMREGEX) &amp;&amp; long.TryParse(orderStr, out order)){ Response.Write(HttpUtility.HtmlEncode(string.Format("The order number is {0}", order))); //use 'long order' instead of orderStr. } else { Response.Write("Order number not provided."); isValid = false; } //if all arguments are valid, query the DB. if (isValid) { Response.Write(GetOrderStatus( phone, order)); } } private static string GetOrderStatus(string phone, long order) { string status = ""; //create a connection object string connstring = "SERVER=&lt;YOUR MYSQL SERVER&gt;;DATABASE=&lt;YOUR DATABASE&gt;;UID=&lt;YOUR USER&gt;;PASSWORD=&lt;YOUR PASSWORD&gt;-";//this is a connection string for mysql. customize it to your needs. MySql.Data.MySqlClient.MySqlConnection conn = new MySql.Data.MySqlClient.MySqlConnection(connstring); //put your connection string in this constructor call //create a SQL command object using (MySql.Data.MySqlClient.MySqlCommand cmd = new MySql.Data.MySqlClient.MySqlCommand()) { //use a using clause so resources are always released when done. cmd.Connection = conn; cmd.CommandText = "SELECT `Order_Status` FROM `&lt;YOUR TABLE&gt;` WHERE `Order` = @order AND `Phone` = @phone"; //this needs a From statement //add parameters for your command. they fill in the @order and @phone in the sql statement above. customize these to match the data types in your database. cmd.Parameters.Add("order", MySql.Data.MySqlClient.MySqlDbType.Int64,11).Value = order; //do not use @ sign in parameter name cmd.Parameters.Add("phone", MySql.Data.MySqlClient.MySqlDbType.VarChar, 50).Value = phone; //execute the command, read the results from the query. cmd.Connection.Open(); using (MySql.Data.MySqlClient.MySqlDataReader reader = cmd.ExecuteReader()) { while (reader.Read()) { status = reader.GetString("Order_Status"); } cmd.Connection.Close(); } } return status; } } } </code></pre>
    singulars
    1. This table or related slice is empty.
    1. POHow can I create SQL Query which Takes Parameters from URL in asp.net C#
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USFrank Thomas
    1. USFrank Thomas
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POHow can I create SQL Query which Takes Parameters from URL in asp.net C#
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COHi.Thanks Can you provide any code as examples for Query where I can store Query values in string and display in same page
      singulars
      1. PO
      1. USuser1778175
    2. COwow, actually thats an issue too. its called a script injection vulnerability and enables Cross-Site Scripting attacks. I'll see if I can;t work you up a sample later.
      singulars
      1. PO
      1. USFrank Thomas
    3. COThanks You siR..!!
      singulars
      1. PO
      1. USuser1778175
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload