Friday, February 24, 2012

checking the SELECT statement for an SqlDataAdapter

I'm trying to pass a querystring to an SqlDataAdapter object. To check if the query is a valid SELECT statement, I simply use a try-catch. But dispite the try-catch it still accepts valid INSERT statements. However, in the parameterlist of the SqlDataAdapter the required parameter is a Transact SQL SELECT statement or a stored procedure... Am I doing something wrong?
 Here is my code:
try{ my_conn = conn_open(); da =new SqlDataAdapter(query, my_conn); da.Fill(result.resultDataset); my_conn.Dispose();}catch (Exception e){ result.errMsg ="Database Error: " + e.Message; result.success =false;}
Kehil

Kehil:

However, in the parameterlist of the SqlDataAdapter the required parameter is a Transact SQL SELECT statement or a stored procedure... Am I doing something wrong?

How do you know the parameterlist makes the SqlDataAdapter accpets only SELECT statement or SP? Actually when you create a SqlDataAdapter with a SqlCommand, the SqlCommand is used as SqlDataAdapter.SelectCommand, but this does not mean the SqlCommand must be a SELECT statement. If you want to validate SqlDataAdapter.SelectCommand, you need to validate the SqlCommand.CommandText to make sure it doesn't cotain any words like INSERT (but if there is a column named "INSERT" returned by a SELECT query, the statement will also considered invalid). So, such validation seems to make no sense.

Posted by Russel at 2:13 AM
Labels: , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)