unable to update a varchar (400) column in remote server

Question

0.00/5 (No votes)

See more:

Local server: From a table I retrieve data from a column 'highlights-varchar(400)'.
For editing I assign it to a variable named as 'v_highlights'. Then I want to update again in the same column 'highlights'. It works. So I publish it and upload to my remote server.

Now, with a remote server: It doesn't work. My code:

C#

string updateSqll = "UPDATE txfile SET highlights='" + v_highlights + "' WHERE  mem_id = " + v_mem_id1 + "  and reg_id = " + v_regid + " and noofitems='" + v_itemno + "'";

Can anyone clarify why is it so?

Regards.

Posted 5-Jul-13 5:49am

S.Rajendran from Coimbatore

Updated 5-Jul-13 7:38am

Maciej Los

v2

Add a Solution

Comments

[no name] 5-Jul-13 11:55am

"why is it so", probably not just from seeing your SQL-Injection-attack-waiting-to-happen code. We would have no idea what "It doesn't work" means exactly.

Prasad Khandekar 5-Jul-13 11:59am

Hello Rajendra,

And what's the error you get when you say it's not working. Also suggest you to use SQLCommand with Parameters to avoid possible SQL Injection attack.

Regards,

S.Rajendran from Coimbatore 5-Jul-13 12:05pm

It doesnt work means it is not getting replaced. Further I dont know what is injection attack. i'm new to this term.

ZurdoDev 5-Jul-13 12:12pm

If there is no error and it is not getting replaced that means that your where clause is returning no results.

S.Rajendran from Coimbatore 5-Jul-13 12:14pm

No problem with where clause because it gets replaced well with local server.

idenizeni 5-Jul-13 19:49pm

Does the user the process is running under have permission to run an UPDATE command on the table? Do you get any errors?

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

OriginalGriff · Accepted Answer · 2013-07-05T08:32:00

It doesn't work is not that helpful, but the lack of "it throws an exception with this message" implies that the update has succeeded as far as SQL is concerned. The most likely culprit is indeed that the remote database does not have any rows which exactly match your WHERE condition - even if your local one does.
The other possibility is that you are causing the problem yourself by concatenating strings to produce your SQL command, and causing an SQL Injection from the data you are trying to insert.
You may not know what SQL Injection is, but you damn well should - given that it can damage or destroy your database without any difficulty. Think about it: what happens if the data you retrieve from the local server contains a quote character? That terminates the highlights string as far as SQL is concerned, and the remainder of the data in the string is interpreted and executed as a command. Use parametrized queries at all times - never, ever concatenate strings to form SQL commands!

C#

using (SqlConnection con = new SqlConnection(strConnect))
    {
    con.Open();
    using (SqlCommand com = new SqlCommand("INSERT INTO myTable (myColumn1, myColumn2) VALUES (@C1, @C2)", con))
        {
        com.Parameters.AddWithValue("@C1", myValueForColumn1);
        com.Parameters.AddWithValue("@C2", myValueForColumn2);
        com.ExecuteNonQuery();
        }
    }