Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Passing text to an access database

  • 31-01-2006 2:02pm
    #1
    Closed Accounts Posts: 181 ✭✭


    Hi,

    I am creating a web app in c# that contains a text box. I have created a button event that calls a sql command to insert whatever is in the text box into the access database. The datatype in the access database is of type "Text". I persumed this would be of type string? The code below compiles fine but causes a runtime error when I hit the button that calls the sql command.
    AccessDataSource1.SelectCommand = "INSERT INTO Monthly_Backup_Table (General_Desc) VALUES (TextBox1.Text)";
    

    Funny enough the sql command works (kind of) when I use the following code
    AccessDataSource1.SelectCommand = "INSERT INTO Monthly_Backup_Table (General_Desc) VALUES ('TextBox1.Text')";
    

    It will insert TextBox1.Text into the access database but not the TextBox1.Text variable value.

    Can anybody give any suggestions on how I may get this working??


Comments

  • Registered Users, Registered Users 2 Posts: 2,082 ✭✭✭Tobias Greeshman


    C# won't interpolate the variables into a string like perl/php do so you'll have to split the string up.

    Eg.
    "INSERT .... (\'" + textbox1.text + "\')....


  • Registered Users, Registered Users 2 Posts: 4,003 ✭✭✭rsynnott


    Need I even say it, really?

    SQL INJECTION.


  • Closed Accounts Posts: 181 ✭✭deadfingers


    Thanks silas, that worked out for me.

    Ok rsynnott what way should I do it to avoid sql injection.


  • Registered Users, Registered Users 2 Posts: 4,003 ✭✭✭rsynnott


    Not being a .NET devotee, that I cannot answer without research. Go and read any basic database access tutorial for your platform.


  • Moderators, Society & Culture Moderators Posts: 9,689 Mod ✭✭✭✭stevenmu


    You need to validate the text in your text box to make sure it doesn't contain any sql commands which would be executed when you execute your own command. There's plenty of stuff around the net to show what things to check for.


    Ideally you'd use stored procedures instead of full sql commands, but access doesn't support them.


  • Advertisement
Advertisement