1

I work on an ASP.NET project (using serenity.is) and have now a problem with a database query :

[HttpGet]
[Route("SimonTest/{id=0}/{obj=0}")]
public ActionResult SimonTest(int id, int obj)
{
    SqlConnection myConn = new SqlConnection(@"Server=(LocalDb)\MSSqlLocalDB;Integrated security=SSPI;database=Serene5_Default_v1");

    // skipped code building the following command :

    command = "INSERT INTO [Serene5_Default_v1].[tcpdump].[Errors] (TimeStp,IdSource,IdDestination,PortSource,PortDestination,ToTheRight,ToTheLeft) VALUES ('11:2','11','1','1','1',1,1);";


    System.Diagnostics.Debug.WriteLine(command);
    SqlCommand myCommand2 = new SqlCommand(listDb, myConn);


    myCommand2.ExecuteNonQuery();

    System.Diagnostics.Debug.WriteLine("Commande exécutée");
    myCommand2.Dispose();


    myConn.Close();
    return View("~/Modules/Default/TcpDump/TcpDumpIndex.cshtml");
}

When I execute the query INSERT INTO ... with Microsoft SQL Server Management Studio, nothing goes wrong, but here the command seems to be skipped (no exception raised and nothing written in database)

Improve this question
6
  • 4
    And where exactly do you assign the SQL to execute to your command object? What is listDb? Did you mean to use command when constructing the SqlCommand object? Commented Aug 16, 2017 at 8:33
  • 1
    command != listDb. No idea what the contents of the latter is, but that's what you're executing. Commented Aug 16, 2017 at 8:34
  • Ok damn.. Was right at the beginning, and i wrote a new command and forgot to make every changes x) Commented Aug 16, 2017 at 8:36
  • 1
    I would like to point out that the "skipped code" that builds the SQL seems to insert values into it as well, you should use parameters, not concatenated SQL statements, depending on where you get these values from you might open yourself to sql injection attacks. Commented Aug 16, 2017 at 8:38
  • 1
    If you pick the values from textboxes on the screen then I can write this: '; drop database x; select 1, ' this will then be concatenated into your SQL and bye bye database. Most likely won't this particular query execute but with some experimentation I should be able to either retrieve data you don't want me to or modify it. This bug is called SQL Injection - w3schools.com/sql/sql_injection.asp. Commented Aug 16, 2017 at 8:43

2 Answers 2

Reset to default
3

You forgot to assign sql text to command myCommand2.CommandText = command before executing query.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

He does in fact assign a SQL to the command, the constructor, listDb is that SQL, but it is the wrong SQL (most likely).
@LasseV.Karlsen maybe assignment of command text to the listDb is missing. And also it throws an exception when sql is wrong
0

may be because of connection is not open that why it's not updating

SqlCommand myCommand2 = new SqlCommand(listDb, myConn.Open());
Improve this answer

1 Comment

Good point, I deleted it in the post, but actually opened it in my code ^^

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.