• [C#] Help with database
    18 replies, posted
Hey, sorry to bother you guys but I have a quick question. I have created a application which when you press a button, stores some information in a remote MySQL database. I've been using the MySql Connector/net for it and really like it but I don't like the fact that when other people to run the programme, must download the Connector/Net. Is there any other ways of doing this?
Can't you just package it with your app?
Couldn't you have done the same thing using only the .NET framework? You'll have to package it with your app otherwise. There's a no-installation version available.
Just set the dll file to Copy Local and you'll be fine. I use Connector/Net in a production webapp and all I do is upload it in the bin/ directory along with my app's dll
I'm very new to C# can anyone point me in the direction of a good tutorial showing how to do this? Would be awesome
[QUOTE=Saevus;26157417]I'm very new to C# can anyone point me in the direction of a good tutorial showing how to do this? Would be awesome[/QUOTE] [img]http://ahb.me/YF6[/img]
[QUOTE=pro ruby dev;26168909][img_thumb]http://ahb.me/YF6[/img_thumb][/QUOTE] Thanks man, helps alot. Edit: New problem, just found out by my friend people can hack it by doing something which I forgot But this is the way I make connections to the database... [code] MySqlConnection connection = new MySqlConnection(MyConString); MySqlCommand command = connection.CreateCommand(); MySqlDataReader Reader; command.CommandText = "SELECT mycolumn FROM tablename WHERE loginname='" + loginName + "'"; connection.Open(); Reader = command.ExecuteReader(); while (Reader.Read()) { string thisrow = ""; for (int i = 0; i < Reader.FieldCount; i++) thisrow += Reader.GetValue(i).ToString() + ""; Ticks = int.Parse(thisrow); } connection.Close(); [/code]
Think about what'll happen if someone types ' OR '' = ' as their login name. Your "thisrow" string will end up being a concatenation of [i]everyone's[/i] records.
[QUOTE=Wyzard;26178403]Think about what'll happen if someone types ' OR '' = ' as their login name. Your "thisrow" string will end up being a concatenation of [i]everyone's[/i] records.[/QUOTE] Is there anyway i can fix this?
Replicating [url=http://php.net/manual/en/function.mysql-real-escape-string.php]mysql_real_escape_string[/url] should do the trick.
[QUOTE=ZeekyHBomb;26179027]Replicating [url=http://php.net/manual/en/function.mysql-real-escape-string.php]mysql_real_escape_string[/url] should do the trick.[/QUOTE] Ok, thanks alot. [editline]20th November 2010[/editline] I have no idea how to replicate that
Search the string for the following chars: '\x00', '\n', '\r', '\\', '\'', '\"', '\x1a' and prepend a \ to each of them.
Er, ok i'll give it a shot.
String escaping is error-prone and easy to overlook in places. It's better to use parameter binding to completely separate the SQL statement structure from the values of the parameters. I'm not familiar enough with .NET data access to be able to point to a good reference, but basically you'd write your query string like this: SELECT mycolumn FROM tablename WHERE loginname = ? and then provide the actual login name as a parameter when you [i]execute[/i] the command. Because the login name isn't actually part of the SQL string, it can't influence the meaning of the SQL string. This also has the benefit that you can create the command object once, and use it many times with different login names.
No luck im afraid, can anyone show me an example of how they would do it please?
[cpp] String query = "Select * from Member where username=?uname"; MySqlCommand cmd = new MySqlCommand(query, conn); cmd.Parameters.Add("?uname",TextBox1.Text); MySqlDataReader print = cmd.ExecuteReader(); bool read = print.Read(); string password = print.GetString(2);[/cpp] This should look like that.
[QUOTE=pikzen;26180790][cpp] String query = "Select * from Member where username=?uname"; MySqlCommand cmd = new MySqlCommand(query, conn); cmd.Parameters.Add("?uname",TextBox1.Text); MySqlDataReader print = cmd.ExecuteReader(); bool read = print.Read(); string password = print.GetString(2);[/cpp] This should look like that.[/QUOTE] thanks man, your awesome. [editline]20th November 2010[/editline] conn becomes underlined in red?
conn is a MySqlConnection object. Initialize it yourself. And read the debugger, it's always right.
I was about to have a fit over the not-using-parameters business. You really should be using parameters, don't bother with escaping.
Sorry, you need to Log In to post a reply to this thread.