ansaurus

Question

Integer variable is acquiring a string value of "ad" somewhere along the line, can anyone see where?

Answer 1

+3 A:

When you construct the query to the table departmentsgroupings, you're changing the value of sql, but you aren't creating a new SqlCommand. This means that cmd still contains the old SQL statement (the query to the Modules table) which, when executed, returns "ad".

To fix this, change your code as follows:

sql = ("select departmentsid from departmentsgroupings where groupingid =" & pageid & "")
Set cmd = New SqlCommand(sql, conn)    
did = (cmd.ExecuteScalar)

You may have expected the change you made to sql to get passed on automatically to the SqlCommand -- but it doesn't work that way.

Edit: Your code, as written, is vulnerable to SQL injection attacks. If you don't know what these are, you need to read the first answer to this:

http://stackoverflow.com/questions/332365/xkcd-sql-injection-please-explain

To protect yourself against these kinds of attacks, use parameterized queries.

Martin B 2010-01-29 08:43:20

Thanks a lot Martin, I'll edit and put your advise into practice now.

Phil 2010-01-29 08:59:03

BTW, i have a sqlinjection stopper, which comes from a usercontrol. It basically grabs the querystring on page init, and if it contains any bad words like select, drop, etc the user is redirected to 504.aspx before hitting this code. Would that work as prevention?

Phil 2010-01-29 09:00:59

That sounds like it would Phil, be its still good practice to use parameterized queries anyway. So if you have the time i would recommend the rewrite.

kevchadders 2010-01-29 09:09:39

Thanks Kev, ill look into this as a priority!

Phil 2010-01-29 09:10:55

Answer 2

A:

The mistake is in these lines:

sql = ("select departmentsid from departmentsgroupings where groupingid =" & pageid & "")
did = (cmd.ExecuteScalar)     <---- Wrong command executed here.

You presumably meant to execute the code in sql, not cmd again.

Tom Smith 2010-01-29 08:43:40

`sql` is a `String`. A string doesn't have an `ExecuteScalar` method. The problem is that the OP needed to create a new `SqlCommand`.

Martin B 2010-01-29 08:45:48

OK, corrected so it makes sense. Your answer is more useful though.

Tom Smith 2010-01-29 08:47:12

Hi There, Thanks for the comment - My compiler is now stopping at result = (cmd.ExecuteScalar)In your comment you say strings do not have executescalar method. Can you recommend an alternative way of writing this line?Cheers,Phil.

Phil 2010-01-29 09:18:58

Answer 3

A:

Looking at your SQL run (below)

Dim sql As String = ("select modules.templatefilename from modules, grouping where grouping.moduleid = modules.id and grouping.id = " & pageid & "")

You are selecting the templatefilename.

Furthur down you are then doing a scalar on the results of that SQL, which looking at it will return the templatefilename, which will be a string.

Also you delcared result is a string, which is also wrong.

result = (cmd.ExecuteScalar)

This is incorrect, as you will be doing a Scalar on a string. You need to pass the new piece of SQL to the cmd, and re-create a new SqlCommand object off that sql.

kevchadders 2010-01-29 08:47:17

ansaurus

tags:

views:

answers:

Integer variable is acquiring a string value of "ad" somewhere along the line, can anyone see where?

related questions