I'm coding in Visual Fundamental. I'm utilizing a checkbox control. Now based on its checked property I have to set/unset a little column inside a SQL Server database. Here's the code:
Try conSQL.Open() Dim cmd As New SqlCommand("update Student set send_mail = " + _ sendemailCheckBox.Checked.ToString + " where student_id = '" _ + sidnolabel.Text + "'", conSQL) cmd.ExecuteNonQuery() Finally conSQL.Close() End Try
send_mail attribute is of bit datatype. This code isn't working.
How do you do it?
my boy is signed up for your school. His title is:
Robert') DROP TABLE STUDENT --
We call him up little Bobby Tables.
Generally, I personally use
SqlParameters with this, and you will specify a
Here is a good example of using sqlparameter what's best since it eliminates SQL injection.
EDIT: I simply observed you had been using
tinyint. unsure if this works.
To reply to your question, just assign a Boolean value (i.e.
sendemailCheckBox.Checked) towards the bit column within the database.
To assist you together with your SQL injection issues - don't directly write user input right into a SQL string. You have to use parameters to make sure that customers cannot wreck havoc on your database. Your code ought to be written such as this:
Using conSQL As New SqlConnection("SomeConnectionString") conSQL.Open() Using cm as SqlCommand = conSQL.CreateCommand() cm.CommandType = CommandType.Text cm.CommandText = 'UDPATE Student SET send_mail = @send_mail WHERE student_id = @student_id' cm.Parameters.AddWithValue("@send_mail", sendemailCheckBox.Checked) cm.Parameters.AddWithValue("@student_id", sidnolabel.Text) cm.ExecuteNonQuery() End Using End Using
First, within the title of all things sacred, a minimum of PARAMETERIZE your SQL code. Otherwise, you are asking for any SQL injection attack.
Second, the "bit" datatype uses 1 for True and for False. That is what SQL really wants to see when you are setting values.
Well bit data type is the same as boolean in C# or Visual Fundamental, so that you can simply assign true or false values to those types and may then update the record inside your database.