tag:blogger.com,1999:blog-6082652835152798567.post2512340117337647490..comments2024-03-19T00:55:43.409-07:00Comments on Sql server, .net and c# video tutorial: Sql injection prevention - Part 6Unknownnoreply@blogger.comBlogger8125tag:blogger.com,1999:blog-6082652835152798567.post-16538710459605156022018-06-27T04:37:51.047-07:002018-06-27T04:37:51.047-07:001) select * from tbl where product like 'i%...1) select * from tbl where product like 'i%';<br />2)m its not necessary to add in both the placesAnonymoushttps://www.blogger.com/profile/10216304811766330178noreply@blogger.comtag:blogger.com,1999:blog-6082652835152798567.post-5445984315655379752016-01-15T03:42:32.216-08:002016-01-15T03:42:32.216-08:00for any other caractere
we look for the name star...for any other caractere <br />we look for the name started by textbox1.text and finish with any other caractereAnonymoushttps://www.blogger.com/profile/09360287898476300565noreply@blogger.comtag:blogger.com,1999:blog-6082652835152798567.post-45809189469507154472014-12-30T10:15:21.729-08:002014-12-30T10:15:21.729-08:00why we are adding % in ( TextBox1.Text + "%&...why we are adding % in ( TextBox1.Text + "%" ) ? please explain . Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6082652835152798567.post-6848953173961116972014-12-17T02:52:04.935-08:002014-12-17T02:52:04.935-08:00Hello Venkat!
I tried to use parameterized query ...Hello Venkat!<br /><br />I tried to use parameterized query but the parameters are not getting substituted with values. Should i include any special namespace for that? <br />i am providing the code below:<br />string pqCommandString = "Select * from UsersTable where Username=@paramUsername and Password=@paramPassword";<br /> SqlCommand command = new SqlCommand(pqCommandString, connection);<br /> <br /><br /> command.Parameters.Add("@paramUsername", System.Data.SqlDbType.NChar, 10);<br /> command.Parameters["@paramUsername"].Value = UsernameTxtBox.Text;<br /> command.Parameters.Add("@paramPassword", System.Data.SqlDbType.NChar, 10);<br /> command.Parameters["@paramPassword"].Value = PasswordTxtBox.Text;<br /><br /> connection.Open();<br /> SqlDataReader sqlDataReader = command.ExecuteReader();<br /> if (sqlDataReader.HasRows)<br /> {<br /> ResultLabel.Text = "success";<br /> }Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6082652835152798567.post-6200688629044101832014-12-15T13:12:56.685-08:002014-12-15T13:12:56.685-08:00No need to add % twice.No need to add % twice.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6082652835152798567.post-67043548114624476102013-09-26T04:02:55.246-07:002013-09-26T04:02:55.246-07:00How to create advance search using multiple textb...How to create advance search using multiple textbox and dropdownlist?<br />please help me outAnonymoushttps://www.blogger.com/profile/11303062890841792884noreply@blogger.comtag:blogger.com,1999:blog-6082652835152798567.post-91955546347309161402013-09-23T05:32:25.718-07:002013-09-23T05:32:25.718-07:00When converting the first query into stored proced...When converting the first query into stored procedure and parameterised query, where does the apostrophe (') surrounded the textbox value go?<br />like '" + TextBox1.Text + "%'";<br /><br />Secondly, is this necessary to duplicate the % twice? There is one in the stored procedure, but why do we still have add another one on AddWithValue() method?<br /><br />Could anyone explain please?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-6082652835152798567.post-7832088521170738322013-08-29T03:22:56.740-07:002013-08-29T03:22:56.740-07:00When you fill the parameter at AddWithValue do you...When you fill the parameter at AddWithValue do you end with "%" but the stored procedure also add a % at the end of the where clause.<br />Is not enought to have the one of the stored procedure?Wizardhttps://www.blogger.com/profile/11250543335495132659noreply@blogger.com