Geeks With Blogs
Phil Sando January 2010 Entries
Stopping SQL Injection Attacks
make sure all queries are parameterised like this: sql = ("select * from contacts where contactid = @id") Dim cmd As SqlCommand = New SqlCommand(sql, conn) cmd.Parameters.Add("@id", SqlDbType.VarChar) cmd.Parameters("@id").Value = id I also include a usercontrol which checks the querystring for bad terms: The list is long but this snippet should give you the gist of it: Dim querystringvar As String = Request.QueryString.ToString If InStr(querystringvar, "drop") Then Response.Redirect("/errors/... ......

Posted On Friday, January 29, 2010 12:39 PM

Working with SqlCommand Parameters

Here is the code you need to start adding parameters to your sql commands:

Add parameter then add value:

Dim cmd As SqlCommand = New SqlCommand(s,c)
cmd.Parameters.Add("@id", SqlDbType.Int)
cmd.Parameters("@id").Value = foo


Add parameter with value:

command.Parameters.AddWithValue("@id", foo)

Posted On Wednesday, January 27, 2010 8:21 AM

Visual Studio 2008 SP1 / SQL Server 2008 Frustrations (The Solution)
The solution to the problem I was having in my post earlier this morning: A lurking instance of "Visual C# 2008" was installed on my machine and not updated to SP1 level. After replacing this with the current version (from and re-running the test, SQL server 2008 is now installing ok. A useful blog post from msdn on this subject can be found here: ......

Posted On Friday, January 22, 2010 1:49 AM

Visual Studio 2008 SP1 / SQL Server 2008 Frustrations
Well this morning I've been trying to mirror the office's development environment onto an offline laptop. Correct me if I am wrong, but version ".0.30729.1 SP" includes the service pack 1 update (dont get me started on the mission of creating a full version of the installer/downloader to run offline) . So when I try to setup a new SQL Server 2008 instance why do I fail the test "Previous releases of Microsoft Visual Studio 2008" ... Most support web sites suggest re-installing SP1, which I have done ......

Posted On Friday, January 22, 2010 1:14 AM

Welcome ... I guess
My name is Phil, im from the UK. Currently I'm going through a career change, working in South Africa as a Junior developer. For the most part I will be coding in VB rather than C# as that is what the organisation I'm working for use. My own background is in web publishing, content management and taxonomies where I have around 10 years experience working in London, Liverpool, New York and South Africa for many high profile clients such as; Save the Children Her Majesty's Court Service The ......

Posted On Thursday, January 21, 2010 4:43 AM

Copyright © PhilSando | Powered by: