Jump to content

SQL Text form help

bigmichaelful

I am trying to code a front-end for a SQL database in Visual Basic. I am having trouble writing a query that will take what is entered in a text box, and use it to search the database and return a list of all relevant items.

Dim entry As String = txtbxMANU.TextNewreport("SELECT [Manufacturer] FROM [Instruments table] WHERE [Manufacturer] LIKE XXXXXX ")

I wish to query the database for a manufacturer and produce a list of all items made by them.

 

Any ideas on how I can do this? Is it simply a lack of knowledge of syntax or is there more to it?

 

Cheers guys

Mike

 

Link to comment
Share on other sites

Link to post
Share on other sites

Never mind guys, figured it out, after 6 hours I figured it out 15 minutes after asking for help hahaha

 

If anyone is interested

Dim entry As String = "'%" & txtbxMANU.Text & "%'"Newreport("SELECT * FROM [Instruments table] WHERE [Manufactuer] LIKE " & entry)
Link to comment
Share on other sites

Link to post
Share on other sites

 

Never mind guys, figured it out, after 6 hours I figured it out 15 minutes after asking for help hahaha

 

If anyone is interested

Dim entry As String = "'%" & txtbxMANU.Text & "%'"Newreport("SELECT * FROM [Instruments table] WHERE [Manufactuer] LIKE " & entry)

 

Hey just wanted to say, remember if this is to be released to anyone to watch out for exploit code :p 

My sql is a bit rusty, but what if someone entered in the following:

(delete [instruments table])

 

I don't know about VB, but usually there is a sql function that lets you parse user input for exploits....

0b10111010 10101101 11110000 00001101

Link to comment
Share on other sites

Link to post
Share on other sites

Hey just wanted to say, remember if this is to be released to anyone to watch out for exploit code :P

My sql is a bit rusty, but what if someone entered in the following:

(delete [instruments table])

I don't know about VB, but usually there is a sql function that lets you parse user input for exploits.

Your absolutely right, it's open to SQL injection attacks, Ideally using parameter's rather than concatenated text to build the SQL should sort the exploit, however failing that a simple way to mitigate most of the problems would be to change the first line to the following

Dim entry As String = "'%" & txtbxMANU.Text.Replace("'", "''") & "%'"

Current Rig (Ongoing Build)


Spec:- 4770K | GTX 780 | 32Gb 2133Mhz Vengeance Pro | CaseLabs TH10 | 2 x 840 Pro RAID 0 | 3 x 3Tb WD Red RAID 5 | Maximus VI Formula | LSI MegaRAID 9271


Cooling (Ongoing Build) :- EK CSQ Clean | EK FC Titan | 3 x BlackIce SR-1 480mm | NB eLoop Fans | Aquaero 5 XT | Dual D5 | Aqualis XT Res

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×