public static int getDiscipData(string slct, string from, string userID) { // I know this is vulnerable to SQL injection but the user cannot influence the input of this in any way, shape or form so it's not an issue string SQL = "SELECT " + slct + " FROM " + from + " WHERE " + userID + "=" + GVars.getUserID(); SqlConnection conn = new SqlConnection(GVars.connectionString()); SqlCommand cmd = new SqlCommand(SQL, conn); conn.Open(); int temp = Convert.ToInt32(cmd.ExecuteScalar()); conn.Close(); return(temp); }
private void StudentForm_Load(object sender, EventArgs e) { { SqlConnection conn = new SqlConnection(GVars.connectionString()); string spec = "SELECT Specialization FROM data WHERE userData_ID=@userID"; string year = "SELECT Year FROM data WHERE userData_ID=@userID"; string seme = "SELECT Semester FROM data WHERE userData_ID=@userID"; SqlCommand cmdSpec = new SqlCommand(spec, conn); SqlCommand cmdYear = new SqlCommand(year, conn); SqlCommand cmdSeme = new SqlCommand(seme, conn); cmdSpec.Parameters.AddWithValue("@userID", GVars.getUserID()); cmdYear.Parameters.AddWithValue("@userID", GVars.getUserID()); cmdSeme.Parameters.AddWithValue("@userID", GVars.getUserID()); conn.Open(); int tempSpec = Convert.ToInt16(cmdSpec.ExecuteScalar()); int tempYear = Convert.ToInt16(cmdYear.ExecuteScalar()); int tempSeme = Convert.ToInt16(cmdSeme.ExecuteScalar()); switch (tempSpec) { case 1: { switch (tempYear) { case 1: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } case 2: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } case 3: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } case 4: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } } break; } case 2: { switch (tempYear) { case 1: { switch (tempSeme) { case 1: { break; } case 2: { dis1Label.Text = "Desen Tehnic"; dis2Label.Text = "PCLP"; dis1Box.Text = Convert.ToString(DatabaseHelper.getDiscipData("Discipline1", "disciplines", "user_ID")); dis2Box.Text = Convert.ToString(DatabaseHelper.getDiscipData("Discipline2", "disciplines", "user_ID")); break; } } break; } case 2: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } case 3: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } case 4: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } } break; } case 3: { switch (tempYear) { case 1: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } case 2: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } case 3: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } case 4: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } } break; } case 4: { switch (tempYear) { case 1: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } case 2: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } case 3: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } case 4: { switch (tempSeme) { case 1: { break; } case 2: { break; } } break; } } break; } } } }