Hi, Here are three examples I found googling "ASP.NET parameterized queries Access" http://aspnet101.com/aspnet101/tutorials.aspx?id=1 http://www.mikesdotnetting.com/Article.aspx?ArticleID=26 http://www.4guysfromrolla.com/webtech/092601-1.2.shtml There appears to be a few more good ones on the first 10 results. To be honest - I would strongly recommend you go and buy Stephen Walther's "ASP.NET Unleashed" book (there are versions for v1.1, and v2.0/3.0) if you are just starting out with ASP.NET. It covers an enormous amount of information across just about everything you will touch when starting off with ASP.NET. If you have a bookstore within 5-10 minutes drive, then the 20 minute investment that you'll make in getting that book will repay itself in a week. Cheers Ken -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Coulson Sent: Friday, 3 August 2007 12:47 PM To: thelist at lists.evolt.org Subject: Re: [thelist] simple asp.net question Okay, okay. I'm pretty sure the only people inside the building who even know what SQL is are honest enough not to try exploiting a weakness in my code, but your concerns are valid. I'm just being lazy. I suppose I'd rather make it secure now and not have to do anything but move it from one server to the next when we start putting the intranet on the web server. Would you please take a moment to show me how that is done? If it's not clear, I don't know a whole lot about .Net; however, it's my only programming option at work! Thanks! Jeremy -----Original Message----- From: Ken Schaefer <Ken at adOpenStatic.com> To: "thelist at lists.evolt.org" <thelist at lists.evolt.org> Date: Fri, 3 Aug 2007 12:10:53 +1000 Subject: Re: [thelist] simple asp.net question You think that only random people out on the internet are ever interested in getting access to more than they should? You are going around this completely the wrong way. Retrofitting your code later on is going to be a far more expensive undertaking than just doing it the safe way now. You'd need to change about 4-5 lines of code, and use named parameters instead of sticking literal strings into your SQL statement, and you'd make your entire page immune to SQL Injection attacks. Cheers Ken -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Jeremy Coulson Sent: Thursday, 2 August 2007 9:39 PM To: thelist at lists.evolt.org Subject: Re: [thelist] simple asp.net question Extension changed. I'm not so worried about that security right now since our intranet is not available to the outside world. If I get this version working, I'll beef up the security later when we move our intranet to our web server. That, however, is many months off and they desire the phone list searching ability ASAP. Jeremy Coulson PC Technician/Webmaster, Frederick County (540) 722-8211 jcoulson at co.frederick.va.us -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Ken Schaefer Sent: Thursday, August 02, 2007 7:02 AM To: thelist at lists.evolt.org Subject: Re: [thelist] simple asp.net question The code could not be downloaded - it's trying to be executed by the server. You'd need to change the extension to something like .txt (that's handled by the static file handler in IIS) Secondly, that SQL statement is vulnerable to SQL injection. Use parameters. Cheers Ken -----Original Message----- From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Jeremy Coulson Sent: Thursday, 2 August 2007 1:55 PM To: thelist at lists.evolt.org Subject: [thelist] simple asp.net question I'm 100% certain I'm missing something really simple on this search I've been trying to build for our phone directory on our intranet. Everything is working correctly except one thing. When a user enters a search that returns no result, a label tells the user there were no results. Unfortunately, the program never makes it to the second half of the conditional statement and all searches - even successful ones - return the same message. You can see the whole code (there's not much!) at http://www.co.frederick.va.us/coulson/phoneExtensions.aspx (but you have to download it because that server is running an older framework that doesn't know gridview). This is the specific function that is not working: ----------------------> Sub nameHandler(ByVal sender As Object, ByVal e As EventArgs) If strSearch.Text = "" Then lbl1.Text = "<br /><font color='red'>Please enter a search term in the box above!</font>" Else AccessDataSource1.SelectCommand = "SELECT [lastName], [firstName], [dept], [ext], [email] FROM [tblPhones] WHERE [lastName] = '" + strSearch.Text + "' OR [firstName] = '" + strSearch.Text + "' ORDER BY [dept], [lastName]" If GridView1.Rows.Count = 0 Then lbl1.Text = "<br />Your search for " & strSearch.Text & " found no results." Else lbl1.Text = "<br />Search string: " & strSearch.Text & "." End If End If End Sub ----------------------> Why does it never get to the Else half of that If? I'm thinking this is either a failure of my ability to nest conditional statements, a failure of my logic, or a failure of my understanding of GridView.Rows.Count. I've been beating this dead horse for three hours now and I'm going to bed. Hopefully I will find a solution tomorrow. If you know it, feel free to share! Thanks!