Press Ctrl / CMD + C to copy this to your clipboard.
This post will be reported to the moderators as potential spam to be looked at
Hi!
I've created my own table in the DB and uses it to store form data. I've discovered some issues sometimes when the application crasches because of data entered in the form.
My SQL looks like this:
string sqlstr = "INSERT INTO EVENTREGISTEREDCUSTOMERS (Projektwebb, XML, Date) VALUES ('" + "FFF" + "', '" + xmlOutput + "', '" + DateTime.Now + "')";umbraco.BusinessLogic.Application.SqlHelper.ExecuteNonQuery(sqlstr);
string
sqlstr = "INSERT INTO EVENTREGISTEREDCUSTOMERS (Projektwebb, XML, Date) VALUES ('" + "FFF" + "', '" + xmlOutput + "', '" + DateTime.Now + "')";
umbraco.BusinessLogic.
Application.SqlHelper.ExecuteNonQuery(sqlstr);
xmlOutput is a string with xml that holds the form values.
I noticed that if a user has entered a ' the query crashes. I solved this by removing all of them before the query.
Is there a better way to write the query to avoid this happening? Are the more "letters" to avoid?
froad,
you should be using parametrized queries instead of plain old sql statements which are not hack safe...
Application.SqlHelper.ExecuteNonQuery("insert into eventregisteredcustomers(projectweb, xml, date) values (@projectweb, @xml, @date)", Application.SqlHelper.CreateParameter("@projectweb", "FFF"), Application.SqlHelper.CreateParameter("@xml", xml), Application.SqlHelper.CreateParameter("@date", DateTime.Now));
(please do a syntax check, it's written on top of my head)
Hope this helps.
Regards,
/Dirk
Thx!
But does this automatically solve the problem with letters like ' in the form?
Yup, it should, that's what CreateParameter is for, it will unescape any special char such as ' (quote) char
Cheers,
Is that MySQL compatible?
Think that is specific for MSSQL..?
Should be if you've configured to use MySql as Application.SqlHelper property will be the MySql implementation of the ISqlHelper interface.
(not an expert on MySql...)
Got it working :)
is working on a reply...
Write your reply to:
Upload image
Image will be uploaded when post is submitted
Creating a "safe" query
Hi!
I've created my own table in the DB and uses it to store form data. I've discovered some issues sometimes when the application crasches because of data entered in the form.
My SQL looks like this:
xmlOutput is a string with xml that holds the form values.
I noticed that if a user has entered a ' the query crashes. I solved this by removing all of them before the query.
Is there a better way to write the query to avoid this happening? Are the more "letters" to avoid?
froad,
you should be using parametrized queries instead of plain old sql statements which are not hack safe...
Application.SqlHelper.ExecuteNonQuery("insert into eventregisteredcustomers(projectweb, xml, date) values (@projectweb, @xml, @date)", Application.SqlHelper.CreateParameter("@projectweb", "FFF"), Application.SqlHelper.CreateParameter("@xml", xml), Application.SqlHelper.CreateParameter("@date", DateTime.Now));(please do a syntax check, it's written on top of my head)
Hope this helps.
Regards,
/Dirk
Thx!
But does this automatically solve the problem with letters like ' in the form?
Yup, it should, that's what CreateParameter is for, it will unescape any special char such as ' (quote) char
Cheers,
/Dirk
Is that MySQL compatible?
Think that is specific for MSSQL..?
Should be if you've configured to use MySql as Application.SqlHelper property will be the MySql implementation of the ISqlHelper interface.
(not an expert on MySql...)
Cheers,
/Dirk
Thx!
Got it working :)
is working on a reply...