Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

1- What does ADO.NET stand for? ---------------------------------------- 2- ASP.

ID: 3694762 • Letter: 1

Question

1- What does ADO.NET stand for?

----------------------------------------

2- ASP.NET uses the executeReader and the executeNonQuery method calls to execute SQL statements. What is the difference between the two method calls? As always, you must provide a clear and complete answer.

----------------------------------------

3-5. In the following 3 questions, use the Employees table presented in the lecture slides and use the following C# code.

SqlCommand cmd = new SqlCommand(

"SELECT * FROM Employees WHERE LastName='" + lastName.Text + "'",

connection);

----------------------------------------

3- As an end-user evil-doer, what SQL injection code can you enter into the lastName text box so that all the table’s rows get deleted, but the table itself does not get deleted? In your answer, you must not use a WHERE clause.

----------------------------------------

4- As an end-user evil-doer, what SQL injection code can you enter into the lastName text box so that all the table’s rows get deleted, but the table itself does not get deleted? In your answer, you must use a WHERE clause where you compare EmpId to *.

----------------------------------------

5- How can you use parameterization to prevent SQL injection attacks on the SELECT statement shown above? Specifically, provide two statements that replace the assignment code shown above, and that use parameterization.

----------------------------------------

6- Normally, you should include a Columns container within a GridView control, but the ASP.NET compiler does not require it. What happens if your GridView control has no Columns container?

Explanation / Answer

1- What does ADO.NET stand for?

ADO stands for Active X data for objects. ADO.NET is a set of computer software components that programmers can use to access data and data services from the database. It is a part of the base class library that is included with the Microsoft .NET Framework. It is commonly used by programmers to access and modify data stored in relational database systems, though it can also access data in non-relational sources. ADO.NET is sometimes considered an evolution of ActiveX Data Objects(ADO) technology, but was changed so extensively that it can be considered an entirely new product.

2- ASP.NET uses the executeReader and the executeNonQuery method calls to execute SQL statements. What is the difference between the two method calls?

ExecuteNonQuery

ExecuteNonQuery method will return number of rows effected with INSERT, DELETE or UPDATE operations. This ExecuteNonQuery method will be used only for insert, update and delete, Create, and SET statements.

ExecuteNonQuery is typically used for SQL statements without results (e.g., UPDATE, INSERT, etc.)

ExecuteReader

Execute Reader will be used to return the set of rows, on execution of SQL Query or Stored procedure using command object. This one is forward only retrieval of records and it is used to read the table values from first to last.

ExecuteReader is used for any result set with multiple rows/columns (e.g., SELECT col1, col2 from sometable).

3-5. In the following 3 questions, use the Employees table presented in the lecture slides and use the following C# code.

SqlCommand cmd = new SqlCommand(

"SELECT * FROM Employees WHERE LastName='" + lastName.Text + "'",

connection);

I am not aware of your lecture slides, However I can give you description regarding the above c# code.

creating cmd object for sqlCommand and it has query stated above, that retrives all records with the specified last name in the code.

3- As an end-user evil-doer, what SQL injection code can you enter into the lastName text box so that all the table’s rows get deleted, but the table itself does not get deleted?

What is SQL Injection?

The word Injection means to inject something in your system and SQL Injection means injecting some SQL in your database system for hacking it to steal your information such has Username and Passwords for login authentication or causing harm to your system by deleting data or dropping tables.

If I type ';DELETE FROM Persons;-- in the TextBox, the SQL Query will be manipulated as follows

Thus this Query will first fire SELECT query on the Customers Table and then will delete all records from the Persons Table.

4- As an end-user evil-doer, what SQL injection code can you enter into the lastName text box so that all the table’s rows get deleted, but the table itself does not get deleted?

If we type ';DELETE FROM Persons;-- in the TextBox, the SQL Query will be manipulated as follows

SELECT * FROM Customers WHERE EmpId = '';DELETE FROM Persons;--'

Thus this Query will first fire SELECT query on the Customers Table and then will delete all records from the Persons Table.

5- How can you use parameterization to prevent SQL injection attacks on the SELECT statement shown above?

Parameterized Queries

Parameterized Queries are those in which values are passed using SQL Parameters.

Benefits

The prime benefit of parameterized Queries is to protect the database from SQL Injection.

The very basic way is to use Parameterized Queries i.e. instead of string concatenation you need to add parameters to the Query and pass parameter value using the SqlCommand object. Below is an example of parameterized query.

SELECT * FROM Customers WHERE EmpId = @EmpId

Above query cannot be manipulated and will completely stop SQL Injection.

6- Normally, you should include a Columns container within a GridView control, but the ASP.NET compiler does not require it. What happens if your GridView control has no Columns container?

The GridView control is the successor to the DataGrid and extends it in a number of ways. With this GridView control, you could display an entire collection of data, easily add sorting and paging, and perform inline editing. In addition to just displaying data, the GridView can be used to edit and delete the displayed data as well.

The GridView comes with a pair of complementary view controls: DetailsView and FormView. By combining these controls, you can easily set up master-detail views using very little code and sometimes no code at all. From the following chapters you can see some important operations in ASP.NET GridView control.

Each column in the GridView control is represented by a DataControlField object. By default, the AutoGenerateColumns property is set to true, You can also manually control which column fields appear in the GridView control by setting the AutoGenerateColumns property to false .

AutoGenerateColumns="false"

Related Questions

1- There are two approaches to information security policies: the parallel appro
Question #3802459
1- There are two main approaches to religion taken by feminists. The first says
Question #3501215
1- This exercise uses the radioactive decay model. A wooden artifact from an anc
Question #2912679
1- TigerOne Bank is a local bank that intends to install a new automated teller
Question #3747495
1- To dope Ge with n- and p-type doping, which materials should be used (a) Al f
Question #2084657
1- To find the Horizontal Asymptote, make a fraction of the highest power term i
Question #3114412
1- To treat your infection, your doctor prescribes an antibiotic. This antibioti
Question #176174
1- Tomas and Saturn are partners who share income in the ratio of 3:1. Their cap
Question #2530250

Navigate

Previous
1- What determines tissue function within an organ? structure of the organ syste
Next
1- What does function subroutine do? def subroutine( n ): while n > 0: print (n,

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.