Wednesday, March 21, 2012

Passing a string[] into a class

hi i am trying to pass a string array( all of the values at the same time) into a class

I am using this code trying to pass into this class

string[] itemTitle;string[] itemNames; OdbcConnection userCheckCon = sqlconnect.Connect(); OdbcCommand userCheck =new OdbcCommand("select Username from tbl_usr where Username = '" + uName +"'", userCheckCon); OdbcDataReader userRead = userCheck.ExecuteReader();int count = 0;while (userRead.Read()) {if (userRead.HasRows && variablePass) { itemTitle[count] ="userName"; itemNames[count] = uName; }else { itemTitle[count] ="userName"; itemNames[count] = ("<span class='greenHigh'>" + uName +" is available </span>"); } count++; } userRead.Close(); userCheckCon.Close();//END XML xmlGen userC =new xmlGen(); userC.xmlStart(writer); userC.addNode(writer,itemTitle[],itemNames[]); userC.xmlEnd(writer);
 
The problem is on the userC.addNode line and this is the class i am trying to pass into it
class 
 public XmlTextWriter addNode(XmlTextWriter writer,string[] itemTitle,string[] itemName)
 {
 for(int items = 0; items < itemTitle.Length; items++)
 {
 writer.WriteElementString(itemTitle[items], itemName[items]);
 }
 return writer;
 }
 
Thanks
Dan

Two problems.


1. Your string[] itemTitle needs a = new string[MaxRows] where maxrows is an int. If you dont know the size until later in the code you can always use a List<string> instead.

2 (and more importantly), take out the []'s from userC.addNode(writer,itemTitle[],itemNames[]); Should be userC.addNode(writer,itemTitle,itemNames);


hi

using arry of strings here is not recomended ,

because we dont know the number of elements ,

you must useStringCollection class ,

this is a dynamic array,

you can add and remove from it as you want ,

so change you variables types as follows :

StringCollection itemTitle=new StringCollection ();

StringCollection itemNames=new StringCollection ();

now to add items to these colletions use this :

itemTitle.add("your string") ....

and to iterate inside these collections use this :

for( int i=0; collection.count-1; i++)

{ yoou code here }

regards,


This code is also vulnerable to SQL injection.


Hi thanks will give this all a go tonight

and how is it vunerable to SQL injection 


 OdbcCommand userCheck =new OdbcCommand("select Username from tbl_usr where Username = '" + uName +"'", userCheckCon);
 
 
if uName is like the query string or textbox text value all I need to enter to return the all rows isanything' OR 'x'='x
 
Or If I want to get more malicious I can do a ' delete from Users --
 
Look into stored procedures if you want to solve this problem.
Posted by futilitybnmi at 11:37 PM
Labels: , , , , , , , , , ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)