How to update SQL field? 
Author Message
 How to update SQL field?

how can i get txtbox.text into "LastName" field of the
Employee record?  Do I then execute the SQL UPDATE command
with ExecuteNonquiry?


Mon, 28 Nov 2005 23:23:36 GMT  
 How to update SQL field?

Quote:
>-----Original Message-----
>how can i get txtbox.text into "LastName" field of the
>Employee record?  Do I then execute the SQL UPDATE
command
>with ExecuteNonquiry?
>.

Define your SQL statement first; something like:
  "UPDATE <table> SET LastName = '" & <text> & "'"

Then execute it using the connection execute method (I
think).  I'ts somewhere in the connection object.

Have fun.
Richard



Tue, 29 Nov 2005 04:24:53 GMT  
 How to update SQL field?
Hi,

That way to update value is very dangerous, since it is a way to *inject*
some vulnerable SQL statement inside your UPDATE statement. I would suggest
to use Command object with parameter to provide updating (see code below).
Otherwise I could type in inside Textbox control following text

'; DELETE FROM AnyTable --

and I will get next kind of SQL statement

UPDATE <table> SET LastName = ''; DELETE FROM AnyTable --

It will allow to delete all information from any table. I could also specify
more dangerous SQL Statement here, like SELECT * FROM CreditCardTable and I
will get all information about users and their credit card accounts. This is
the way how hackers crack your application to steal information.
Next code is longer, but is more reliable and, actually, works faster

lcSQL = "UPDATE <table> SET LastName = ?"
Set loCommand.ActiveConnection = loConnection
loCommand.CommandText = lcSQL
loCommand.CommandType = adCmdText

    adVarChar, adParamInput, 10, TextBox1.Text))
loCommand.Execute

--
Val Mazur
Microsoft MVP


Quote:

> >-----Original Message-----
> >how can i get txtbox.text into "LastName" field of the
> >Employee record?  Do I then execute the SQL UPDATE
> command
> >with ExecuteNonquiry?
> >.
> Define your SQL statement first; something like:
>   "UPDATE <table> SET LastName = '" & <text> & "'"

> Then execute it using the connection execute method (I
> think).  I'ts somewhere in the connection object.

> Have fun.
> Richard



Tue, 29 Nov 2005 19:52:35 GMT  
 
 [ 3 post ] 

 Relevant Pages 

1. 2nd SQL Server update after update text field corrupts row - using RDO

2. Updating data to a memo field using SQL UPDATE

3. Date field in an SQL UPDATE stmt.

4. Updating fields after SQL query

5. Can't update a Field (SQL)

6. SQL - Updating Empty Text Field is enterring -1

7. Updating a field in SQL table

8. VB5/ADO/SQL 6.5 currency field update fails?

9. SQL with update and vbCRLF in a field fails

10. ADO/SQL - Updating large memo field

11. How to update calculated fields in SQL query?

12. Updating SQL Server 7 datetime field from VB 6

 

 
Powered by phpBB® Forum Software