This content has been marked as final. Show 3 replies
971465 wrote:In addition to what Dennis has posted, it might also be worthwhile to do some research on SQL Injection.
I am having trouble updating a signal row in an Oracle Database 11g Express Edition Release 220.127.116.11.0 - 64bit
I am using VB.net. I can add a row easily so I know the connection is set properly
Imports Oracle.DataAccess.Client ' ODP.NET Oracle managed provider
Dim da As OracleDataAdapter = New OracleDataAdapter
Dim ds As New DataSet
Dim conn As New OracleConnection("Data Source=<machine name>")
Dim inc, maxrows As Integer
da.SelectCommand = New OracleCommand("Select * from projects Where Projects.ProjectName = " & "'" & ListBox1.Text & "'", conn)
If conn.State = ConnectionState.Closed Then conn.Open()
maxrows = ds.Tables("UpdateProject").Rows.Count
inc = 0
Catch ex As Exception
maxrows returns 1 row - which is the row I want to update.
I am assuming the "pointer is now sitting at the proper row"
I allow the user to update the description via a text box and the want to simply run a SQL update statement
SQLCmd = "Update projects SET ProjectDescription = " & "'" & TextBox5.Text & "'"
a.SelectCommand = New OracleCommand(SQLCmd, conn)
This code updates EVERY row in the DB.
Any help would be greatly appreciated
As it stands now the code you posted is open to SQL Injection attacks since you are just gluing text from the textbox into the SQL.
For example, given your sample code, what if a user types the following into the textbox:
What do you think will happen with the code as it currently is and is that what you really want to happen?
I'm also not quite sure why you are using a Select to perform an Update operation.