473,322 Members | 1,778 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,322 software developers and data experts.

How to show a message after successful insert

SqlConnection conn = new SqlConnection();
conn.ConnectionString = "Data Source=YADAV-12076F0A0;Initial Catalog=ganesh;User Id=sa;Password=server;";
conn.Open();
SqlCommand cmd = new SqlCommand();
cmd.Connection = conn;
cmd.CommandType = CommandType.Text;
cmd.CommandText = "insert into mlogin values ('" + txtuser.Text + "','" + txtpass.Text + "')";
SqlDataReader reader = cmd.ExecuteReader();
Oct 7 '10 #1
1 2774
balabaster
797 Expert 512MB
I don't know where to start with all the things that are wrong with this code. I realize you're probably learning so don't take anything I say harshly. There's a lot to learn and it's an exciting path, you will get there, stick at it. Take everything I've got to say objectively, nothing I say is a personal attack on you.

Firstly and most importantly, *NEVER* post credential information on any website. It might seem like this information is irrelevant outside of the 4 walls of your university campus, but the information in your connection string could potentially be used against you. Never post the name of your server, database, username and password.

Next - any object you create an instance of that is disposable (i.e. it implements the interface IDisposable) should be disposed of after use. That means one of two things, either wrap your code using 'using' statements:

Expand|Select|Wrap|Line Numbers
  1. using (SqlConnection conn = new SqlConnection()) {
  2. /* Code here */
  3. }
or you need to make sure your object is closed and disposed [Google for C# try catch finally]:

Expand|Select|Wrap|Line Numbers
  1. SqlConnection conn = null;
  2. try
  3. {
  4.     conn = new SqlConnection();
  5.     /* more code */
  6. }
  7. finally
  8. {
  9.     if (conn.state != ConnectionState.Closed)
  10.     {
  11.         conn.Close();
  12.     }
  13.     conn.Dispose();
  14. }
At first you will not know every object that implements IDisposable, so to start with, you'll probably use trial and error, that's okay. Eventually you'll get up to speed with MSDN or some other document repository and you'll have this information at your finger tips.

Just a hint: SqlConnection, SqlCommand and SqlDataReader all implement IDisposable so they should all be treated this way.

Your code here demonstrates an ability to use what is known as SQL injection where I could end your query by putting some cleverly notated text into one of your fields and use it maliciously - for instance:

If in the password field I enter:

'); Drop table mlogin; --

Your query would be:

insert into mlogin values('',''); Drop table mlogin; --');

You will notice very quickly after this query is run that your mlogin table has disappeared along with the ability of every one of your applications users ability to log in.

You will notice that I've replaced the end of your query with my own '); and added an extra piece to the query to drop your table. The close of your query has been commented out so that SQL will ignore it.

To mitigate this problem, whenever you create a command to insert into a database it should be parameterized:

Expand|Select|Wrap|Line Numbers
  1. cmd.CommandText = "insert into mlogin values(@username, @password)";
  2. cmd.AddParameter("@username", txtuser.Text);
  3. cmd.AddParameter("@password", txtpass.Text);
Further to this, if you are going to display information that is held in your database, you should always encode it before display to mitigate the possibility of malicious scripts being inserted into fields.

For instance, if I added a script into the text field and you rendered it, I could send a visitor to your website off to a malicious location, for instance, if I enter:

Expand|Select|Wrap|Line Numbers
  1. <script type="javascript">document.location.href="http://www.mymalicioussite.com";</script>
Into a field on your site that will be displayed to other users, then whenever that field is displayed, the visitor it was displayed to will be whisked away to mymalicioussite.com. [Google Cross Site Scripting, or XSS]. While you're investigating site security, look up XSRF, it's probably not important yet and you may not understand it quite yet but that's important too. Cross Site Request Forgery. SQL Injection, Cross Site Scripting and Cross Site Request Forgery are the most often exploited attack vectors on websites. You should be aware of them and always make sure you take precaution to sanitize user inputs and handle them securely.

Last up, when you execute your command, which won't be executing a reader in the case of an insert, but a non-reader cmd.ExecuteNonReader(), the return record is the number of rows that were affected. In the case of an insert, it will either be numeric or you'll get an exception. If you don't get an exception, the return value should always be 1. Consequently, if the value is 1, then you can display a message that the record was updated successfully.

You can display a message using the MessageBox.Show() method, you can find documentation for the MessageBox class on the MSDN website.

I won't put all these pieces together for you in a single code extract because I'm sure this is homework and as such I want to be sure you've read and understood everything I've written and can put it together yourself. I don't want your tutor thinking you've mastered something you don't understand.
Oct 7 '10 #2

Sign in to post your reply or Sign up for a free account.

Similar topics

3
by: Ian Griffiths | last post by:
I'm having issues witht the code I'm writing. I've dealt with SQL before, although only for extracting data, not adding it to the database. I've been intensively learning ASP/ADO over the past week...
3
by: Brad Pears | last post by:
Our graphic designer has just finished redeveloping our website. On the site, we use SSL to secure the area where a user enters their personal information to order items from us. (we do not do many...
10
by: Doc | last post by:
I've come across the concept of registering a website with search engines. Will you website not show up on Yahoo, Google, etc. based on keyword hits unless you're registered?
0
by: guoqi zheng | last post by:
I am looking for a way to catch a web site screen show by code. Just like the site of alexa.com which offers a small web site screen image. Any suggestion how can I do this? regards, Guoqi...
3
by: Developer | last post by:
I use the RichTextBox and sometimes put it into overwrite mode. I'd like the cursor to show whether its in overwrite or insert mode. I often use Cursor.Current = Cursors.WaitCursor and...
0
by: Curious Trigger | last post by:
Hi NG, in my asp.net page a DetailView-Control is bound to a DataSource-Control with select, insert, update and delete-commands configured. As long as I type valid data into the DetailView all...
3
by: Bill | last post by:
I have an Access XP app that has linked table to SQL 2005 express. When trying to save a new record, users are getting an error mesage "insert on linked tbale failed. Timout expired") I suspect...
5
by: gater6459 | last post by:
I need to know how to have a phone number entered into a place on my web page then have the number typed in to be inserted into the spot that says Number1. Number 2 is my number and pwd is my...
0
by: DolphinDB | last post by:
Tired of spending countless mintues downsampling your data? Look no further! In this article, you’ll learn how to efficiently downsample 6.48 billion high-frequency records to 61 million...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...
1
by: Defcon1945 | last post by:
I'm trying to learn Python using Pycharm but import shutil doesn't work
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.