this code can be injected which leads to a security risk since the user can add sql code to the connection string directlyinstead use the SqlParameter class to pass parameters to whatever query u want to do
On Tue, Jul 14, 2009 at 10:17 PM, Neo <[email protected]>wrote: > > Instead of doing > > Dim mssqlConnectionString As String = "Provider=SQLOledb; Data > Source=mydatabase; Initial Catalog=home;User > i...@username;passwo...@password" > > Do > > dim UserName, Password as string > ........ > fill in the UserName and Password from UI or whatever source > ........ > Dim mssqlConnectionString As String = "Provider=SQLOledb; Data > Source=mydatabase; Initial Catalog=home;User Id=" & UserName & > ";Password=" & Password > > Note : Connection strings must NOT be initialized in your code, it > should be in a config file and your code should load the connection > string from config file using ConfigurationManager Class. If u are > using ASP.NET then your connection string should be in web.config and > if u are using windows app then it shouild be in App.config file (this > is general rule, but you can load connection string from any config > file other than these) > > And thanks Cerebrus for inviting me in your group :) . > > > On Jun 2, 6:53 am, jt_2009 <[email protected]> wrote: > > Hello > > > > It's me again. Sorry Cerebrus.....I unknowingly typed Cerberus > > instead. And Mike that was funny. > > > > Anyway just an update, I've managed to get a connection going - I > > moved the project folder to a local drive (it was being worked on an > > intranet drive previously - which was the main issue I think) > > > > Anyway I would like to place some parameters now in my connection > > string. Would the following actually work? > > > > Dim mssqlConnectionString As String = "Provider=SQLOledb; Data > > Source=mydatabase; Initial Catalog=home;User > > i...@username;passwo...@password" > > > > thank you. > > > > On May 30, 2:36 am, Cerebrus <[email protected]> wrote: > > > > > > > > > Very funny, Mike !! ROFL...MAO. ;-) > > > > > On May 29, 2:47 pm, Mike Fry <[email protected]> wrote: > > > > > > Cerebrus wrote: > > > > > ... and by the way, it's "Cerebrus". :P > > > > > > I know, but I think Cerberus suits you better as a moniker. Guarding > the > > > > underworld that is .NET > > > > > > -- > > > > Regards, > > > > Mike Fry > > > > Johannesburg.- Hide quoted text - > > > > - Show quoted text - > -- Akram Mellice
