I'm writing a record from an asp.net page to SQL Server. After the insert
I'm selecting @@identity to return the ID of the record that I just wrote.
It worked fine until I typed a semicolon into one of the string fields to be
inserted. The string fields are inside single quotes in the INSERT command.
With the semicolon in the string, the record is written correctly including
the semicolon, but the identity is not returned. Without a semicolon in the
string, the identity is returned correctly. The code is below, any
suggestions would be appreciated. The field with the semicolon is
ContractNumber. Thanks.
lsSQL = "INSERT INTO tblVPContracts (NonContracted, ContractNumber,
POReqNumber, ForInfoOnly, ImmediateActionReq, ModifiedBy) VALUES (" _
+ NonContracted.ToString + ", '" + tbContractNum.Text + "', '" +
TextBox1.Text + "', " + ForInfoOnly.ToString + ", " +
ImmediateAction.ToString + ", " + UserID.ToString + " )"
Dim MyCommand As SqlCommand = New SqlCommand(lsSQL, conn)
MyCommand.ExecuteNonQuery()
Dim sSelect As String = "SELECT @@IDENTITY as NewID"
Dim DataSet As New DataSet
Dim adapter As New SqlDataAdapter
adapter.SelectCommand = New SqlCommand(sSelect, conn)
adapter.Fill(DataSet, "Identity")
cookie.Values.Add("VPContractID",
DataSet.Tables("Identity").Rows(0)(0)) 3 4471
> I'm writing a record from an asp.net page to SQL Server. After the insert I'm selecting @@identity to return the ID of the record that I just wrote. It worked fine until I typed a semicolon into one of the string fields to be inserted. The string fields are inside single quotes in the INSERT command. With the semicolon in the string, the record is written correctly including the semicolon, but the identity is not returned. Without a semicolon in the string, the identity is returned correctly. The code is below, any suggestions would be appreciated. The field with the semicolon is ContractNumber. Thanks.
lsSQL = "INSERT INTO tblVPContracts (NonContracted, ContractNumber, POReqNumber, ForInfoOnly, ImmediateActionReq, ModifiedBy) VALUES (" _ + NonContracted.ToString + ", '" + tbContractNum.Text + "', '" + TextBox1.Text + "', " + ForInfoOnly.ToString + ", " + ImmediateAction.ToString + ", " + UserID.ToString + " )" Dim MyCommand As SqlCommand = New SqlCommand(lsSQL, conn) MyCommand.ExecuteNonQuery() Dim sSelect As String = "SELECT @@IDENTITY as NewID" Dim DataSet As New DataSet Dim adapter As New SqlDataAdapter adapter.SelectCommand = New SqlCommand(sSelect, conn) adapter.Fill(DataSet, "Identity") cookie.Values.Add("VPContractID", DataSet.Tables("Identity").Rows(0)(0))
If that Contract Number contained a single quote ('), then your sql
statement would fail. Look up "SQL Injection Attack".
So use Parameters to pass those values! See MSDN for details.
This might also solve your semicolon problem.
Second remark: instead of filling an entire dataset with that single
identity value, use ExecuteScalar (and cast the "object" result to an
integer). This will return just the first column in the first row of
the first resultset.
Hans Kesting
there are a lot issues with your code:
@@IDENTITY returns the last identity assigned in the sql batch. your select
@@IDENTITY is in its own batch, so it returns null. you need to switch to
one batch.
@@identity does not return the correct value if a trigger is used which also
creates an identity. you should use scope_ideneity() instead.
your code allows sql injection, you should switch to parameters.
string sql = @"set nocount on
INSERT INTO tblVPContracts (
NonContracted, ContractNumber,POReqNumber,
ForInfoOnly, ImmediateActionReq, ModifiedBy
)
VALUES (
@NonContracted,@ContractNum,@textbox,
@ForInfoOnly,@ImmediateAction,@userid
)
select scope_identity as newid";
SqlCommand cmd = new SqlCommand(sql, conn)
cmd.Parameters.Add(@NonContracted,SqlDbType.Int,0) ;
....
int newId = cmd.ExecuteScaler();
-- bruce (sqlwork.com)
"Dan" <da**********@po.state.ct.us> wrote in message
news:ef****************@TK2MSFTNGP09.phx.gbl... I'm writing a record from an asp.net page to SQL Server. After the insert I'm selecting @@identity to return the ID of the record that I just wrote. It worked fine until I typed a semicolon into one of the string fields to be inserted. The string fields are inside single quotes in the INSERT command. With the semicolon in the string, the record is written correctly including the semicolon, but the identity is not returned. Without a semicolon in the string, the identity is returned correctly. The code is below, any suggestions would be appreciated. The field with the semicolon is ContractNumber. Thanks.
lsSQL = "INSERT INTO tblVPContracts (NonContracted, ContractNumber, POReqNumber, ForInfoOnly, ImmediateActionReq, ModifiedBy) VALUES (" _ + NonContracted.ToString + ", '" + tbContractNum.Text + "', '" + TextBox1.Text + "', " + ForInfoOnly.ToString + ", " + ImmediateAction.ToString + ", " + UserID.ToString + " )" Dim MyCommand As SqlCommand = New SqlCommand(lsSQL, conn) MyCommand.ExecuteNonQuery() Dim sSelect As String = "SELECT @@IDENTITY as NewID" Dim DataSet As New DataSet Dim adapter As New SqlDataAdapter adapter.SelectCommand = New SqlCommand(sSelect, conn) adapter.Fill(DataSet, "Identity") cookie.Values.Add("VPContractID", DataSet.Tables("Identity").Rows(0)(0))
Both of these suggestions were a big help.
Thanks
"Hans Kesting" <ne***********@spamgourmet.com> wrote in message
news:mn***********************@spamgourmet.com... I'm writing a record from an asp.net page to SQL Server. After the
insert I'm selecting @@identity to return the ID of the record that I just
wrote. It worked fine until I typed a semicolon into one of the string fields
to be inserted. The string fields are inside single quotes in the INSERT
command. With the semicolon in the string, the record is written correctly
including the semicolon, but the identity is not returned. Without a semicolon in
the string, the identity is returned correctly. The code is below, any suggestions would be appreciated. The field with the semicolon is ContractNumber. Thanks.
lsSQL = "INSERT INTO tblVPContracts (NonContracted,
ContractNumber, POReqNumber, ForInfoOnly, ImmediateActionReq, ModifiedBy) VALUES (" _ + NonContracted.ToString + ", '" + tbContractNum.Text + "', '" + TextBox1.Text + "', " + ForInfoOnly.ToString + ", " + ImmediateAction.ToString + ", " + UserID.ToString + " )" Dim MyCommand As SqlCommand = New SqlCommand(lsSQL, conn) MyCommand.ExecuteNonQuery() Dim sSelect As String = "SELECT @@IDENTITY as NewID" Dim DataSet As New DataSet Dim adapter As New SqlDataAdapter adapter.SelectCommand = New SqlCommand(sSelect, conn) adapter.Fill(DataSet, "Identity") cookie.Values.Add("VPContractID", DataSet.Tables("Identity").Rows(0)(0))
If that Contract Number contained a single quote ('), then your sql statement would fail. Look up "SQL Injection Attack". So use Parameters to pass those values! See MSDN for details. This might also solve your semicolon problem.
Second remark: instead of filling an entire dataset with that single identity value, use ExecuteScalar (and cast the "object" result to an integer). This will return just the first column in the first row of the first resultset.
Hans Kesting
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Bri |
last post by:
Greetings,
I'm having a very strange problem in an AC97 MDB with ODBC Linked tables
to SQL Server 7. The table has an Identity field and a Timestamp field.
The problem is that when a new record...
|
by: ferbar |
last post by:
Hello all,
This may sound pretty basic stuff.. but I'm working on a socket example
whose client seems to work fine, but the server doesn't send to the
client the expected result. The problem is...
|
by: Andrew |
last post by:
Hey all,
Working on revamping our Intranet here and making use of the LDPA, Active
Directory, Directory Services, etc. that .Net provides. I am still fairly
new on this subject, so the problem...
|
by: Chris Gatto |
last post by:
Hi,
I'm having what should be a minor problem but has turned into a 2 day slug
fest with ASP.Net. I am simply attempting to authenticate my asp.net
application users against users in an AD...
|
by: Jeff B |
last post by:
I am having a very perplexing problem with setting the user's roles. I have
tried to figure this out for 2 days now.
When the user logs in to the site, I retrieve the roles from the database
and...
|
by: jslowery |
last post by:
I am not completely knowledgable about the status of lexical scoping in
Python, but it was my understanding that this was added in a long time
ago around python2.1-python2.2
I am using python2.4...
|
by: Light |
last post by:
Hi all,
I posted this question in the sqlserver.newusers group but I am not getting
any response there so I am going to try it on the fine folks here:).
I inherited some legacy ASP codes in my...
|
by: myusernotyours |
last post by:
Hi All,
Am working on a Java application in which I have to use the JNI to Interface with some native code for both windows and unix. Am using netbeans IDE with the C/C++ pack installed. Am also...
|
by: =?Utf-8?B?dHBhcmtzNjk=?= |
last post by:
OK I have some Chinese text in sql server column that looks like this:
12大专题调研破解广东科学发展难题
This is unicode? Anyway, I put this data into a text area like this:...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development projectplanning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and...
| |