To prevent SQL-injection attacks,
- never use string concatenation to build a SQL command,
- always use the SqlCommand class (or OleDbCommand class, etc) with parameterized commands.
- if possible consider using stored procedures.
These are some of the common answers in the ASP.NET forums.
All relational databases are vulnerable to SQL-injection attacks. The primary reason for SQL-injection attacks comes through Web applications that combine user input with dynamic SQL to form SQL commands that the application sends to the database.
Bertrand LeRoy's article Please, please, please, learn about injection attacks! explains about Injection attacks in a lucid manner.
One of the most common question is that if a Datalist displays the data as | Inside Sales Coordinator | Callahan |
| Sales Manager | Buchanan |
| Sales Representative | Suyama |
| Sales Representative | King |
| Sales Representative | Davolio |
| Sales Representative | Leverling |
| Sales Representative | Peacock |
| Sales Representative | Dodsworth |
| Vice President, Sales | Fuller |
How to display the result in a way that :Sales Manager,Sales Representative...etc appear only once.
| Inside Sales Coordinator | Callahan |
| Sales Manager | Buchanan |
| Sales Representative | Suyama |
| King |
| Davolio |
| Leverling |
| Peacock |
| Dodsworth |
| Vice President, Sales | Fuller |
Here goes the code
HTML Source
<asp:DataList id="DataList1" runat="server">
<HeaderTemplate >
<table width=100%>
</HeaderTemplate>
<ItemTemplate>
<tr><td>
<asp:Label Runat=server
text=<%#DataBinder.Eval(Container.DataITem, "Title")%> ID="lblTitle">
</asp:Label>
<td><asp:Label Runat=server
text=<%#DataBinder.Eval(Container.DataITem, "LastName")%> ID="lblLastName">
</asp:Label>
</ItemTemplate>
<FooterTemplate>
</table>
</FooterTemplate>
</asp:DataList>
Code Behind
Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs) Handles MyBase.Load
If Not Page.IsPostBack Then
BindTitle()
End If
End Sub
Sub BindTitle()
Dim ds As New DataSet()
Dim sqlStmt As String = "SELECT * FROM Employees order by title"
Dim conString As String = "server=localhost;database=Northwind;uid=sa;pwd=;"
Dim myda As SqlDataAdapter = New SqlDataAdapter(sqlStmt, conString)
myda.Fill(ds, "Table")
DataList1.DataSource = ds
DataList1.DataBind()
End Sub
Private Sub DataList1_ItemDataBound(ByVal sender As Object, _
ByVal e As System.Web.UI.WebControls.DataListItemEventArgs) Handles DataList1.ItemDataBound
If e.Item.ItemType = ListItemType.AlternatingItem Or e.Item.ItemType = ListItemType.Item Then
Dim strval As String = CType(e.Item.FindControl("lblTitle"), Label).Text
Dim title As String = ViewState("title")
If title = strval Then
CType(e.Item.FindControl("lblTitle"), Label).Text = ""
e.Item.Visible = False
Else
title = strval
ViewState("title") = title
CType(e.Item.FindControl("lblTitle"), Label).Text = title
e.Item.Visible = True
End If
End If
End Sub
The two other similar kinds of code can be found at
Customizing the data
Display Alphabetically Sorted Data in a DataGrid
'Enter any Date in MDY format
Dim dtNow As DateTime = Date.Parse("04/25/2004") Dim nowdayofweek As Integer = dtNow.DayOfWeek
Dim weekStartDate, weekEndDate As DateTime
weekStartDate = DateAdd("d", 0 - dtNow.DayOfWeek, dtNow) weekEndDate = DateAdd("d", 6 - dtNow.DayOfWeek, dtNow) 'Displays first day of the week
Response.Write(weekStartDate.ToString("MM/dd/yyyy")) 'Displays last day of the week
Response.Write("<BR>" & weekEndDate.ToString("MM/dd/yyyy"))