I should change all queries to use parameters to protect app from SQL injection.
Current insert sample which works is:
If Len(ExecuteQuery("INSERT INTO ICE_Order_Details(Order_ID, Product_ID, License_Type_ID, Maintenance_ID, Qty, Shareit_Running_No, Price, Total) VALUES(" & OrderID & ", " & ProductID & ", " & LicenseTypeID & ", " & MaintenanceID & ", " & Val(Request("QUANTITY")) & ", " & Val(Request("RUNNING_NO")) & ", " & Price & ", " & Price * Val(Request("QUANTITY")) & ")")) > 0 Then
'SendBadRequest "Could not run insert Order detail query"
Can you help me to write parametric query instead of this? I tried a lot of ways to do this but here is below last one.
Dim ConnString As New SqlConnection("Provider=SQLOLEDB.0;Data Source=something;Initial Catalog=something;Persist Security Info=True;User ID=something;Password=something")
Dim SqlString As String ="INSERT INTO ICE_Order_Details(Order_ID, Product_ID, License_Type_ID, Maintenance_ID, Qty, Shareit_Running_No, Price, Total) VALUES(@OrderID, @ProductID, @LicenseTypeID, @MaintenanceID, @Qty, @RunningNo, @Price, @Total)"
Using conn As New OleDbConnection(ConnString)
Using cmd As New OleDbCommand(SqlString, conn)
cmd.CommandType = CommandType.Text
cmd.Parameters.AddWithValue("@OrderID", OrderID)
cmd.Parameters.AddWithValue("@ProductID", ProductID)
cmd.Parameters.AddWithValue("@LicenseTypeID", LicenseTypeID)
cmd.Parameters.AddWithValue("@MaintenanceID", MaintenanceID)
cmd.Parameters.AddWithValue("@Qty", Val(Request("QUANTITY")))
cmd.Parameters.AddWithValue("@RunningNo", Val(Request("RUNNING_NO")))
cmd.Parameters.AddWithValue("@Price", Price)
cmd.Parameters.AddWithValue("@Total", Price * Val(Request("QUANTITY")))
conn.Open()
cmd.ExecuteNonQuery()
End Using
End Using
Edit: It still doesn't work. Here is my current code for adding parameters:
cmd.Parameters.Add("@OrderID", SqlDbType.Int).Value = OrderId
cmd.Parameters.Add("@ProductID", SqlDbType.Int).Value = ProductID
cmd.Parameters.Add("@LicenseTypeID", SqlDbType.Int).Value = LicenseTypeID
cmd.Parameters.Add("@MaintenanceID", SqlDbType.Int).Value = MaintenanceID
cmd.Parameters.Add("@Qty", SqlDbType.Int).Value = Int32.Parse(Request("QUANTITY"))
cmd.Parameters.Add("@RunningNo", SqlDbType.Int).Value = Int32.Parse(Request("RUNNING_NO"))
cmd.Parameters.Add("@Price", SqlDbType.Money).Value = Money.Parse(Price)
cmd.Parameters.Add("@Total", SqlDbType.Money).Value = Money.Parse(Price * Int32.Parse(Request("QUANTITY")))
Edit: I changed my insert query to test only insert with parameters. But it don't work
Dim ConnString As String = ConfigurationManager.ConnectionStrings("DB_Connection_String0").ConnectionString
Dim SqlString As String ="INSERT INTO Unsubscribed(E-Mail) VALUES(@E-Mail)"
Using conn As New OleDbConnection(ConnString)
Using cmd As New OleDbCommand(SqlString, conn)
cmd.CommandType = CommandType.Text
cmd.Parameters.Add("@E-Mail", SqlDbType.nvarchar).Value = "[email protected]"
conn.Open()
cmd.ExecuteNonQuery()
End Using
End Using
here is error which i got (it marked 'As') if I change connection string it show error on next 'As' in code with same error message
Microsoft VBScript compilation error '800a0401'
Expected end of statement
/Test.asp, line 8
Dim ConnString As String = ConfigurationManager.ConnectionStrings("DB_Connection_String0").ConnectionString ---------------^
AddWithValuemethod. this method infers the data type of the parameter and can sometimes get it wrong. better use Add. i.ecmd.Parameters.Add("@OrderID", SqlDbType.Int).Value = OrderId- Zohar PeledValfunction. Use the static Parse (or TryParse) methods likeInt32.ParseandDecimal.Parse. - Bjørn-Roger Kringsjå