Question Soap.ExecuteQuery Concatenate variable values

AussieBoy

Member
Joined
Sep 7, 2020
Messages
16
Programming Experience
Beginner
Hi, how do I concatenate the values into the second part of the statement.
I have tried a number of format attempts, but have had no luck.
Thanks,

Code:
retobj = MySoap.ExecuteQuery("INSERT INTO Data (Value1, Value2, Value3, Value4, Value5) VALUES (Value1, Value2, Value3, Value4, Value5)", obj, out limit);
 

jmcilhinney

C# Forum Moderator
Staff member
Joined
Apr 23, 2011
Messages
3,140
Location
Sydney, Australia
Programming Experience
10+
You've already asked the same question and been provided with an answer. A string is a string, no matter where it comes from or goes to. You already know how to combine values into a string.


That said, building SQL statements that way is not ideal and should generally be avoided in favour of using parameters. It's not clear whether that option is available here though. What type is MySoap, what is the signature of ExecuteQuery and are there any other overloads available? I did a quick search for the method name and it doesn't appear to be a standard .NET method.
 

AussieBoy

Member
Joined
Sep 7, 2020
Messages
16
Programming Experience
Beginner
I wonder if I can concatenate the sql statement outside of the execute and then use it?
Thanks,
 

jmcilhinney

C# Forum Moderator
Staff member
Joined
Apr 23, 2011
Messages
3,140
Location
Sydney, Australia
Programming Experience
10+
I wonder if I can concatenate the sql statement outside of the execute and then use it?
Of course you can. It's a string. Like I said, a string is a string, regardless of where it comes from or where it goes to. All strings can be treated the same way no matter what else is going on around them. I showed you two ways to insert values in your other thread and either of them could be used in-place here or you could use them first and assign the result to a variable and then use that variable in your current code. It will be a string regardless so you can use it where a string is expected.

That said, one of the reasons that string concatenation is discouraged when it comes to SQL code is because things like formatting and special characters matter. If you're going to use it, you'll need to make sure that all your values are delimited appropriately, formatted correctly and escaped if required.
 

Skydiver

Staff member
Joined
Apr 6, 2019
Messages
1,788
Location
Chesapeake, VA
Programming Experience
10+
I would also warn against exposing a web method (be it via SOAP or REST) that gives a user unfettered access to a database. Why do you even need this SOAP method to execute a database query? Why can't you connect to the database directly and execute commands against it? If the thought is that you don't want to expose a database naked to the internet, then why are you exposing a naked web method to the internet that can do anything on the database?
 

jmcilhinney

C# Forum Moderator
Staff member
Joined
Apr 23, 2011
Messages
3,140
Location
Sydney, Australia
Programming Experience
10+
As @Skydiver suggests, if that is your own method then allowing the user to provide an arbitrary SQL statement and executing it is ludicrous. They could just truncate every table or anything else that your app has permission to do. If you want to be able to insert values into a specific table then you should have a method specifically for that. The parameters are the values and then then the SQL is created inside the method, which means that you can then use ADO.NET parameters for greater security. You would have one method per operation per table. That may seem like a lot of work but if you're afraid of writing a few methods then software development is probably not your thing.
 

Sheepings

Senior Programmer
Staff member
Joined
Sep 5, 2018
Messages
1,518
Location
UK
Programming Experience
10+

AussieBoy

Member
Joined
Sep 7, 2020
Messages
16
Programming Experience
Beginner
Hi, working on a network that is not and never will be connected to the internet.
Looks like its not possible any how.
 

Sheepings

Senior Programmer
Staff member
Joined
Sep 5, 2018
Messages
1,518
Location
UK
Programming Experience
10+
Regardless if it will be connected to the net or not. That really isn't a good attitude to develop as a programmer.

That's a bit like saying; It's a nice day so I will go mo half of the lawn...

There are three ways to do things. The right way, the wrong way, and the way that has been the developer standard.

Your lesson will be learned when someone on your network decides to try executing their own commands just to see if it works. :LOL:
 

Skydiver

Staff member
Joined
Apr 6, 2019
Messages
1,788
Location
Chesapeake, VA
Programming Experience
10+
Your lesson will be learned when someone on your network decides to try executing their own commands just to see if it works. :LOL:
Too true. Imagine my surprise when I successfully managed to do a simple HTML injection attack on my company's Information Security's web page that was promoting how to write secure software. I was not expecting it to succeed considering that the page was supposedly authored by people who do the security reviews of the software produced by the company.
 
Top Bottom