|
Thanks for the response. Let's continue the discussion in the Python forum and not bore the loungers with this 
We are using Linux daily to UP our productivity - so UP yours!
|
|
|
|
|
Monty? Reinhardt?
|
|
|
|
|
Yup... They decided to get together and pull a prank on me! 
We are using Linux daily to UP our productivity - so UP yours!
|
|
|
|
|
I'm just wondering, would that [^] really work ?? lol
|
|
|
|
|
My license and I have refused to experiment!
(But I doubt it - the NPR software should miss the ";" and throw out the excess)
You should never use standby on an elephant. It always crashes when you lift the ears. - Mark Wallace
C/C++ (I dont see a huge difference between them, and the 'benefits' of C++ are questionable, who needs inheritance when you have copy and paste) - fat_boy
|
|
|
|
|
Nice! Tough to say if it would work without seeing any code, but from the code on the license plate, my instinct says no.
|
|
|
|
|
No it wont work, he spelt 'POLICE' wrong... 
|
|
|
|
|
I mean, the Traffic Cameras really work this way ? they read/recognize the license number and automatically insert into database ??
|
|
|
|
|
An SQL Injection attack does not require a database insert - a SELECT ... FROM query will do. Since the ";" is SQL for end-of-statement, the code after it is considered to be a new instruction and executed separately. So "SELECT * FROM tab WHERE number = 123;DROP TABLES tab" would perform two separate operations: Query the table, then delete it.
This is why parameterised queries are so important!
You should never use standby on an elephant. It always crashes when you lift the ears. - Mark Wallace
C/C++ (I dont see a huge difference between them, and the 'benefits' of C++ are questionable, who needs inheritance when you have copy and paste) - fat_boy
|
|
|
|
|
OriginalGriff wrote: This is why parameterised queries are so important!
By parameterized, you mean stored procedures or what ?
|
|
|
|
|
pLucian wrote: By parameterized, you mean stored procedures or what ?
No!
Instead of the SQL
SqlCommand cmd = SqlCommand("SELECT * FROM tab WHERE name = " + tbName.Text);Use
SqlCommand cmd = SqlCommand("SELECT * FROM tab WHERE name = @NAME");
cmd.AddWithValue("@NAME", tbName.Text);This way the content of tbName can be any characters without it being accepted as a new SQL command.
(Yes, yes, I know - "don't use SELECT * FROM" because it... yada yada yada! Don't be so picky!)
You should never use standby on an elephant. It always crashes when you lift the ears. - Mark Wallace
C/C++ (I dont see a huge difference between them, and the 'benefits' of C++ are questionable, who needs inheritance when you have copy and paste) - fat_boy
|
|
|
|
|
very nice, i didn't knew about this  good to know.
|
|
|
|
|
|
OriginalGriff wrote: This is why parameterised queries are so important!
Or just escape out the string. A big limitation with parameterised queries is they are rather tricky to use with "IN" clauses.
|
|
|
|
|
private SqlDataReader GetSomeStuff(SqlConnection conn, List<string> vals)
{
StringBuilder sb = new StringBuilder();
for (int i = 0; i < vals.Count; i++)
{
if (i != 0) sb.Append(", ");
sb.Append("@param" + i.ToString());
}
string query = string.Format("SELECT * FROM TheTable WHERE TheColumn IN ({0})", sb.ToString());
SqlCommand cmd = new SqlCommand(query, conn);
for(int i = 0; i < vals.Count; i++)
{
cmd.Parameters.Add(new SqlParameter("param" + i.ToString(), vals[i]));
}
return cmd.ExecuteReader();
}
Now, was that so hard? Though, with SQL Server 2008 (and I think 2005), entire tables can be passed as parameters, which removes the need to dynamically construct the query. The above technique won't work very well with stored procedures though. In cases like that, one can create an intermediate table to bulk insert data into, generate a unique batch ID from that, then pass that ID to the stored procedure so it knows which records in the batch table to use (after which, it can delete those records).
|
|
|
|
|
aspdotnetdev wrote: Now, was that so hard?
Err, yes. You quote a simple example (consider the extra logic to handle the case where there are additional parameters to be added), when all you needed to do was double up any single quotes in each parameter, and put single quotes at either side of it - a very simple string manipulation operation.
aspdotnetdev wrote: one can create an intermediate table to bulk insert data into, generate a unique batch ID from that, then pass that ID to the stored procedure
Sounds very efficient, easy to debug and highly portable...
|
|
|
|
|
Electron Shepherd wrote: all you needed to do was double up any single quotes in each parameter
How about for NULL (no quotes, though that wouldn't be much use in the specific case of an IN operator)? And for date times ("3/6/2010" is March 6th or June 3rd, and that doesn't even take into account millisecond precision)? And for numbers (no quoting necessary)? And when C# uses scientific notation to represent numbers but SQL Server does not ("100000000.0" vs "1.0E8")? Or when a different culture processes certain data types (e.g., date times) differently? Not so simple after all, now is it? And I think it wasn't very hard to create a list of strings in the format "@param0, @param1, ..., @paramN". As far as bulk inserts... that is quite efficient. But different strokes for different folks.
|
|
|
|
|
Perhaps not the camera itself, but the image is at some point processed with some kind of OCR and then probably the result is inserted into a database.
A while ago he asked me what he should have printed on my business cards. I said 'Wizard'.
I read books which nobody else understand. Then I do something which nobody understands. After that the computer does something which nobody understands. When asked, I say things about the results which nobody understand. But everybody expects miracles from me on a regular basis. Looks to me like the classical definition of a wizard.
|
|
|
|
|
|
I don't think this would harm the database. Do they store the entire image or extract just the number and then store it?
Even if they store the number, there has to be some sort of encryption happening before insert.
|
|
|
|
|
It wouldnt work in the UK, since they pay someone to look through every image and verify that its correct. But it would be nice if it did...
Regards,
Gareth.
(FKA gareth111)
|
|
|
|
|
After hearing an ad for a computer on TV, I realized that PC names for some reason are ambiguous in their pronunciation?
For Example:
Acer - is it: (1) "EH" "SIR" or (2) "ACK" "ER"
Asus - is it (1) "EH" "SUS" or (2) "AS" "US"
ASRock - is it (1) "EH" "S" "ROCK" or (2) "AS" "ROCK"
I think they are all (1). Does this apply only to computers starting with "A"? Inquirying minds want to know.
|
|
|
|
|
I think it is from a cultural perspective often very difficult to get pronunciation right.
You have to be especially careful in far eastern tonal languages.
Even in two close countries like US and UK there is much zealotry in the way we think the other speaks.
Although to my dying day I will NEVER use Aluminum!
------------------------------------
I will never again mention that I was the poster of the One Millionth Lounge Post, nor that it was complete drivel. Dalek Dave
|
|
|
|
|
Dalek Dave wrote: Although to my dying day I will NEVER use Aluminum!
If you lived over there you would have to or no one would know what you were talking about!
The hardest one is water. If you ask for water with an English accent they don't have a clue: you have to draw it out, slowly with the emphasis on the 'a'.
And they still don't know what a wanker is! 
me, me, me
"The dinosaurs became extinct because they didn't have a space program. And if we become extinct because we don't have a space program, it'll serve us right!"
Larry Niven
|
|
|
|
|
digital man wrote: And they still don't know what a wanker is! Smile
*Holds a mirror up in front of digital man.*
3x12=36
2x12=24
1x12=12
0x12=18
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
