SQL Injection Protection (C#.NET)
Alright, so I have a basic search function to look through a field in my database which is decided by a query string.
<asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:DatabaseConnectionString %>"
SelectCommand="SELECT * FROM [Employee] WHERE ([Responsibilities] LIKE '%' + @Responsibilities + '%')">
<SelectParameters>
<asp:QueryStringParameter Name="Responsibilities" QueryStringField="q" Type="String" />
</SelectParameters>
</asp:SqlDataSource> But, I'd really like to fix it using parameterized SQL queries, so that people aren't dropping my tables. >_>
I've been lookin' around for some code on how to do this in C#.NET, and most of them seem to look like this:
SqlConnection objConnection = new SqlConnection(_ConnectionString);
objConnection.Open();
SqlCommand objCommand = new SqlCommand(
"SELECT * FROM User WHERE Name = @Name AND Password = @Password",
objConnection);
objCommand.Parameters.Add("@Name", NameTextBox.Text);
objCommand.Parameters.Add("@Password", PasswordTextBox.Text);
SqlDataReader objReader = objCommand.ExecuteReader(); My problem is that I don't know how really know how to go from my code to this code... I mean, would I throw the latter in my backend code and call what it returns as a string, would I entirely replace my Datasource and do soemthin' with the code? Any help, in the form of tutorials or just straight up tellin' me here, would be greatly appreciated.
Thanks. =D
View Complete Forum Thread with Replies
Related Forum Messages:
Usability Vs. Injection Protection
I have a question that I am sure that others have had to deal with in the past. I am writing business requirements for a web application that stores names, addresses, etc. I have hit a bit of a problem in design with allowing users to enter data they need, like the name O'Brien, and developers saying that allowing the single quote in a field could allow for an injection attack. Developers want to strip out single quotes when they occur in the data, however the users are insistent that names and addresses that have single quotes in them are shown properly. Is there any middle ground so that the system can be built to avoid an injection, but still allow data to be entered as intended.
View Replies !
DTS Protection
I'm trying to protect a package... using an owner password. After I create an owner password and generate a dts command line from DTSRunUI... it puts the package password in the string. Basically if someone goes into the job and looks at this line they have the password to open the package... DTSRun /S "svr-eqanalysis" /N "OrgExtract Rename" /M "password" /G "{2E2B6F07-0E56-4212-A894-B85A4EAA6C8C}" /W "0" /E We can not remove the builtin administrators group from the machine therefore system admins that want to poke around into our work can do so.... any suggestions...... thanks, jonathan
View Replies !
Protection Against Sql Injections
Hello all, I'm using the following code to query my database... public static void InsertsComments(string Comments, string TagID, string UserName) { SqlCommand cmd = new SqlCommand("insert into TG_UserComments (Comments, Tag_ID, UserName) values (@Comments, @TagID, @UserName)", conn); conn.Open(); cmd.Parameters.Add(new SqlParameter("@Comments", Comments)); cmd.Parameters.Add(new SqlParameter("@TagID", TagID)); cmd.Parameters.Add(new SqlParameter("@UserName", UserName)); cmd.ExecuteNonQuery(); conn.Close(); } My first question is, should I be making @Comments, @TagID, @UserName a little more cryptic? Liks @CommDBQ23 or something? Does that make it safer? Also, I'm going to use stored procs query the database, instead of how I'm doing it above. What would I need to change in the code to do this? Obviously I'd need to call a stored proc on the server, but can I still protect myself from sql injections with the above code? Is there anything else I should be doing to secure my application at this level? Thanks! Matty
View Replies !
Sql Server Protection Issue
Recently a client asked me about encryption and sql server...basically he was wondering if someone broke into his office and stole the server would his data be out their for the world to see... I am wondering what protection is avaalable for such a situation Thanks in advance to all that reply
View Replies !
Stored Procedure Protection
Hi all, I've developed a database driven web app in ASP.NET and ready to deploy to my customer. However, I'd like to know is there any way to encrypt / protect the source of my stored procedure and view in SQL Server? My web app make heavily use of SPROCs and DB Views and I don't want my client to view / alter it, compared with the web app, I can compile it into a .DLL file and remove all business logic, any similar thing in SQL world? Thanks,
View Replies !
Protection Level Not Working With SP2?
I'm having problems with ftp tasks in SSIS packages where protectionlevel=EncryptSensativeWithPassword. I've used this many times with no problems, but now that I've upgraded to 2005 SP2, It's not working as before. I have a functioning SSIS package with an FTP download. It works fine on my workstation in the developement environment. If I load it to the SQL server using Server Manager Studio under my account, I cannot run the package from the server when logged on as Administrator, nor can I schedule it to run under the SQLAgent account as a job. The error mesages are: Unable to connect to FTP server using "FTP Connection Manager" and "The password was not allowed". Obviously the password being sent to the ftp server is wrong, but it was right under developement. Further more, If I log into the server under my account the package runs fine! If I load the package while logged in as administrator, I can only run the package as administrator. And of course, if I load the package as SQLagent, I can only run the package as SQLagent. This is not how SSIS packages were operating before I upgraded! In fact I've reloaded some existing packages and found that they now have inherited this behavior (after they have been re-imported) It looks to me like SSIS is using the EncryptSensativeWithUserKey option, instead of the EncryptSensativeWithPassword option. I'm not sure how to confirm this, short of using a packet sniffer to watch the ftp traffic. I could switch to PackageConfigurations, but I was happy with the EncryptSensativeWithPassword option, which seemed appropriate for our operation. Does anyone have any ideas what could be going on, or any suggestions to troubleshoot this? How can I tell if password is encrypted or not?
View Replies !
Intellectual Property Protection
Hi All, I would like to build a standard BI solution based on MS SQL2008 - integration services, analysis service and reoprting services. This stardard BI solution can be distributed to multi customers - however I want to protect the source code so customers cant access the code. I would like to be able to ecrypt or protect the solution - so the customer only get the "executable" but they cant access the soruce code. This is to protect my intellectual property. Kindly advise if there are any way to achive this objective in SQL2008. I did some research in SQL 2005 long time back - but I was unable to find resolution to protect the intellectual property. I would be extremely pleased to get some good advise on how to protect IP in SQL 2008. Thanks heaps, Thomas
View Replies !
Recovery And Protection Plan
we are using sql server 2000 and it's on a remote system. One of the databases "Dbase1" went to Suspect mode. when we checked both the .mdf and .ldf files were missing from the Server. they were not there at all. Is there any way to recover the databse. To make it more secure what are the possibilities which we can use so that in future we should be able to restore our databse. Thanks in advance bab
View Replies !
Database Protection And Auditing Tool
Hi folks, I would just like to share with you SQL CodeSecure, a newlyreleased database protection and auditing tool from SqlLabs:SQL CodeSecure provides ultimate protection from unauthorizedcreation, modification and deletion of database objects. It providesflexibility through various protection types and granularity atdifferent protection levels.CodeSecure comes with a full-featured auditing tool that keeps trackof all changes made to your database. It provides detailed informationon any action taken against any object in your database, including thecomputer and IP address from which a change was made, the domain userand SQL Server login responsible for the change, the exact SQLstatement executed, and a lot more other information.While prevention may be the best cure to damages, CodeSecure'scapability and value are not limited to the protection it can provide.It can rollback actions or changes that could affect your database'sintegrity, functionality or performance, including modifications madeto any code or object definition and deletion of objects in yourdatabase.In addition to these features, SQL CodeSecure provides utilities thatallow you to encrypt code and object definitions for even greaterprotection, as well as script them to files for backup andsafekeeping.You can learn more about it here:http://www.sql-labs.com/products/co...diting-tool.htmYou can download the application from here:http://www.sql-labs.com/products/co...nload/Setup.zipwww.sql-labs.comThanks.
View Replies !
MMC Caused A General Protection Fault
I just installed SQL7.0 on a windows 98 machine. When I go to register a new database, I get the following message. MMC caused a general protection fault I have rebooted the machine, removed & reinstalled the application. Help - what else
View Replies !
Deployment Problem With Protection Level
Hi all, I have a problem while trying to deploy my packages that are configured in ProtectionLevel=EncryptSensitiveWithUserPassword I use the Deployment Utility to deploy my packages. I set the password when deploying and the deplyment works fine. But I run the packages I have the following error : " Failed to decrypt an encrypted XML node because the password was not specified or not correct." Did I miss something ?
View Replies !
Package Protection Level Problem
Hello, I have a package that contains a connection manager to a DB2 source. The password is configured within the connection mananger. The configuration string was included in the package configurations (SQL Server). The package is saved in VSS, and locally on my hard drive. When a colleague attempts to open the package is Visual Studio (from VSS), He gets a message similar to the following. Error 1 Error loading 'Geac_RK502.dtsx' : Failed to remove package protection with error 0x8009000B "Key not valid for use in specified state.". This occurs in the CPackage::LoadFromXML method. . C:Documents and SettingscdunnMy DocumentsVisual Studio 2005ProjectsGeac_RK502Geac_RK502Geac_RK502.dtsx 1 1 I'm very sure the package protection level was to encrypt sensitive data with user key. After he ran into this problem, I tried again to open the package from my computer (the machine that the package was created on) and now I get the same message. If I attempt to open the package anyway, I first get a message that there were errors in the package while it was being loaded, and that the package might be corrupt. After that message, I get one that states the document contains one or more extremely long lines of text....do you still want to open the file. If I click yes, the package opens read only with the following message: Microsoft Visual Studio is unable to load this document. Failed to remove package protection with error 0x80090008. "Key not valid for use in specified state". This occurs iin the CPackage:LoadFromXML method. I'm looking into more information about package protection. What can I do to avoid this problem, and what protection level should I be using so that my colleague can open the package? How can I correct the problem with this particular package, and have the package open? Thank you for your help! cdun2
View Replies !
SQl Agents And Package Protection Levels
All: I am aware that I am raising an issue/question that has quite a number of ancestors in this forum. In reviewing some of the threads I still believe my situation has a bit of a twist; but that could just be me. The process I used until a change I made recently worked just fine. A handful of my packages connect to our ERP system that only supports an ODBC connection. I set the Protection Level to the default, and then deploy the packages to the server. I use an agent to run the jobs that include these packages as steps. I have hardcoded the userID and password in the SQL jobs and so they have run fine. In an effort to reduce maintenance on the packages I decided to run the packages from the File System instead of deploying them to the server. Now, the packages are not running as I have not changes the Protection Level yet. I did test running one of the packages using a Proxy I have created but that does not work either. Based upon what I have read it appears that the first thing I need to do is change the Protection Level to DoNotSaveSensitive. How do I then pass the ID and password to the agent? a. Create a confirguation file? b. Create a package template? c. Both of the above To reiterate I do not wish to deploy the packages to the server; I prefer to run the packages from the File System. Further, I just have one box on which everything happens; there are no migration issues across servers. Some insights from this group will be greatly appreciated. Thank you!
View Replies !
SSIS Protection Level Feature
My SSIS packages are saved using Protection Level = EncryptAllWithPassword. Once I call the encrypted package from another SSIS package and do not place a password on it, the solution does not fail when rebuilding it or even notify me that a password is required. Is this how SSIS should work or microsoft could have a fix this? It causes errors when deployed and all we need to do is just place a password on the Execute Package Task. Thanks.
View Replies !
Access Protection On Deployed SQL Server
How can we control the accesses to a SQL Server that has been deployed on customer site? Basically, we do not want user to log in the database server, even as sa, except through our application. Any recommendation? Thanks, Xiaodoudou
View Replies !
HELP Publishing A Site With Password Protection
I am new to Visual Web Developer 2005 Express. I have created a web site containing a login control. It works great on my local machine, but when I copy it to the server, I get the following error when I try to login to the website: Server Error in '/mrallensclass' Application. An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified) Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Data.SqlClient.SqlException: An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified) Source Error: An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below. Stack Trace: [SqlException (0x80131904): An error has occurred while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified)] System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection) +734931 System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj) +188 System.Data.SqlClient.TdsParser.Connect(Boolean& useFailoverPartner, Boolean& failoverDemandDone, String host, String failoverPartner, String protocol, SqlInternalConnectionTds connHandler, Int64 timerExpire, Boolean encrypt, Boolean trustServerCert, Boolean integratedSecurity, SqlConnection owningObject, Boolean aliasLookup) +820 System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(SqlConnection owningObject, SqlConnectionString connectionOptions, String newPassword, Boolean redirectedUserInstance) +628 System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, Object providerInfo, String newPassword, SqlConnection owningObject, Boolean redirectedUserInstance) +170 System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection) +130 System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnection owningConnection, DbConnectionPool pool, DbConnectionOptions options) +28 System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject) +424 System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject) +66 System.Data.ProviderBase.DbConnectionPool.GetConnection(DbConnection owningObject) +496 System.Data.ProviderBase.DbConnectionFactory.GetConnection(DbConnection owningConnection) +82 System.Data.ProviderBase.DbConnectionClosed.OpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory) +105 System.Data.SqlClient.SqlConnection.Open() +111 System.Web.DataAccess.SqlConnectionHolder.Open(HttpContext context, Boolean revertImpersonate) +84 System.Web.DataAccess.SqlConnectionHelper.GetConnection(String connectionString, Boolean revertImpersonation) +197 System.Web.Security.SqlMembershipProvider.GetPasswordWithFormat(String username, Boolean updateLastLoginActivityDate, Int32& status, String& password, Int32& passwordFormat, String& passwordSalt, Int32& failedPasswordAttemptCount, Int32& failedPasswordAnswerAttemptCount, Boolean& isApproved, DateTime& lastLoginDate, DateTime& lastActivityDate) +1121 System.Web.Security.SqlMembershipProvider.CheckPassword(String username, String password, Boolean updateLastLoginActivityDate, Boolean failIfNotApproved, String& salt, Int32& passwordFormat) +105 System.Web.Security.SqlMembershipProvider.CheckPassword(String username, String password, Boolean updateLastLoginActivityDate, Boolean failIfNotApproved) +42 System.Web.Security.SqlMembershipProvider.ValidateUser(String username, String password) +83 System.Web.UI.WebControls.Login.OnAuthenticate(AuthenticateEventArgs e) +160 System.Web.UI.WebControls.Login.AttemptLogin() +105 System.Web.UI.WebControls.Login.OnBubbleEvent(Object source, EventArgs e) +99 System.Web.UI.Control.RaiseBubbleEvent(Object source, EventArgs args) +35 System.Web.UI.WebControls.Button.OnCommand(CommandEventArgs e) +115 System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +163 System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +7 System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +11 System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +33 System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +5102 How would I correct this? It appears I need to change the setting for SQL Server 2005, but how do I do that? Thanks for your help.
View Replies !
Setting The Protection Level Of Packages
Hello everyone, Can someone recommend me the most efficient protection level for SSIS packages for my environment? I've been doing some reading on this lately, but can't really decide which one to use. The Rely on server storage for encryption (ServerStorage) seems interesting, but I'm unsure if that would work on my environment (Windows Authentication). Currently I'm saving my packages to my dev server under "Encrypt sensitive data with user key" Protection level, but seems like the passwords for the FTP Connection for instance doesn't get saved when I deploy my package to the server. Our environment consists of 2 dev servers + 2 prod servers with windows authentication, our SQL Agent Account is a domain account with local admin rights and sysadmin rights on the SQL Server and we try to use proxy accounts to access network resources instead of giving the agent access to everything. This is what I found on MS's web site. http://technet.microsoft.com/en-us/library/ms141747.aspx http://technet.microsoft.com/en-us/library/ms141053.aspx
View Replies !
System Center Data Protection Manager
Hello,Has someone used the latest product (supposed to beout sometime in November), SCDPM 2007 forbacking up and restoring SQL server databases?Based on what I've read, it looks to be nice, easyto use and easy to do backups and different optionswhen it comes to restore. I've not seen the productyet and I was wondering what are your opinionson using this vs other software like Veritas Backup Exec?Thank you
View Replies !
SSIS Package Protection Level - DontSaveSensitive
For those of you who have had a hard time like me trying to figure out using Protection level for an SSIS package whilst deploying the package via the SQL Server Agent, here is a piece of advice: Firstly the protection level is set by Default to - "EncryptSensitivewithUserKey". The encryption actually takes place only if you have things like - passwords etc.. From my experience - using both - "EncryptSensitivewithUserKey" and "EncryptSensitivewithPassword" Security features have turned out to be unreliable when deploying through SQL Server Agent (even while using a Proxy account having all previliges). This is it seems because of issues with the user who created the package being different from the user who deployed the package. (which is really ridiculous). So I used the ProtectionLevel - "DontSaveSensitive" - which means it is not going to encrypt anything in the package and so ur sensitive information would be blank. You would have to then supply your password etc using a configuration XML file. - using SSIS "Package configuation" in your menu.... This has been the most reliable way of solving the whole problem with encryption. bear in mind that you might want to put the XML file in a secure location to which no one else has access to. Thanks Pramod
View Replies !
SQL 2005 High Protection Failover Error
Hi I am experiencing a problem while performing failover testing on 2005 Standard. I have an application which uses an ODBC connection SQL Native Client with a failover partner. The following is the series of events that cause the problem. I am using a domain admin account whilst testing which has a server login on both servers with the same privileges. Server A (Principle) Server B (Mirror) **Application can connect** Manual failover Server A (Mirror) Server B (Principle) **Application can connect following a restart** Server A is switched off Server B (Principle, disconnected) **Application continues working** ***restarting the application the following error occurs*** €œConnection Failed SQLState 08001 SQL Server Error 53 [Microsoft][SQL Native Client]Named Pipes Provider: Could not open a connectionto SQL Server [53]. Connection failed: SQLState: '08001' SQL Server Error: 53 [Microsoft][SQL Native Client]An error has occured while establishing a connection to the server. When connecting to SQL Server 2005, this failure may be caused by the fact that under the default settings SQL Server does not allow remote connections. Connection failed: SQLState: 'S1T00' SQL Server Error: 0 [Microsoft][SQL Native Client]Login timeout expired€œ Any help with this would be most appreciated Peter
View Replies !
SSIS Package Will Not Execute When DontSaveSensitive Protection Level Is Selected
Hi, Can anyone explain to me why my ssis packages will not work when DontSaveSensitive protection level is selected? My package configurations are set as SQL server configuration type, and I have a table in a database that contains all the sensitive information (passwords and such). If I select "EncryptSensitiveWithUserKey" everything works, but I will be the only one able to execute the packages (not good, I need others to be able to execute them as well). The error I'm getting tells me that the connection is not configured correctly or I may not have the right permissions on the connection. My guess is that the DontSaveSensitive drops the passwords, but when I edit the data source and re-enter the password, it still does not work. Also, the database table I use that contains the sensitive data is not affected, all data remains. What the fudge is going on here? I'm a newbie at this, can someone help me out?
View Replies !
EncryptSensitiveWithPassword Protection Option Cannot Be Used With DTexec Execution Of SSIS Packages
Our SSIS packages use the Web Service Task to call services to send email and write package failure data to a department wide database. These Web Service Calls are failing with HTTP 401 errors. It was caused by the passwords for the HTTP connections not being saved when the SSIS pkgs were saved to .dtsx files. I have tried saving the package with a password and the EncryptSensitiveWithPassword protection option. This password can be supplied when the package is called from another package or a package is executed in Visual Studio but cannot be supplied to DTexec to execute the package in a job. DTexec does have a /Password parameter but it is rejected if the package is loaded from a .dtsx file. This appears to be a bug in DTexec. It only accepts the /Password parameter when the package is loaded with the /SQL option. Specifying /Password and /File is not supported. Is this a known bug? Are there any workarounds? Has anyone successfully called a Web Service from SSIS executed via DTexec?
View Replies !
Sysem.Data.SqlServerCe.SyncStatus' Is Inaccessible Due To Its Protection Level
I made a merge replication and sucessfully connected with mobile device. Everything works fine. Because I wanna try asynchronous synchronization (which won't stop my application executing when subscribing) I read How to example from MSDN : http://msdn2.microsoft.com/en-us/library/ms172391.aspx But there is a problem with creating SyncStatus class object. I can't get into it and I can't create. maybe some reference will help? (I use reference to SQLServerCE). This error stoped my work for now, so I am waiting for some answers. And if it's simple resolution for this problem - sorry. I just started programming applications for Mobile Devices. Best regards. Maciek Wysocki
View Replies !
SQL Injection
I manage a VBSript/ASP/IIS/SQL website for a nonprofit, and our website has been hacked by SQL injections. I have changed the code on the website so it can't access the database, cleaned the database, backed up the database, but now need to find a way to tighten up the security so it won't happen again. We're a non-profit- so the server is Windows 2000 Terminal SP4 (yeah, I know, it's old, bear with me). I was using the following code to access the database from the website: dbconn.open "DSN=cptigers;UID=sqlwebaccess;Password=password" (where cptigers is the name of the DSN connection with SQL server authentication). So far, I've removed read permission in IIS on the include file that I use to open the database. I've changed the data source to use Windows NT authentication, and set the SQL login MDBCA/cptigers (this is the IIS login) to have public and db_denydatawriter roles. But I'm not sure how to call this database connection in the code (how do you define the IIS user and password?), and not sure if this is sufficient to protect from future SQL injections. Am I heading the right direction? Thanks, Amanda
View Replies !
SQL Injection
What is the best way to avoid SQL injection?I know not to do stuff in Visual Basic such as... Dim objCmd As New SqlCommand("SELECT * FROM mytable where id ='" & Request.QueryString("id") & '" , objConn)As it's best to use stored proceduresIs there any other problems you guys might have had happen to you or other possibilites for attackers that I should know about? Cheers
View Replies !
SQL Injection Bug
This is my code: CommandText = "SELECT * FROM Products" If textboxStockID.Text.Length > 0 Then CommandText = CommandText & " where [StockID] like '%" & textboxStockID.Text & "%'" End If Is this subject to the sql injection bug... if so, what changes do I need to make? Canning
View Replies !
SQL Injection ???
Hi All, First explain the SQL Injection and how it working and second what is the Solution of SQL Injection..... ? Thanx, Shally
View Replies !
Help On SQL Injection...
Hi All:I can't seem to get this thing work... When I type this in a textbox : '; exec master.dbo.sp_addsrvrolemember 'redice','sysadmin' -- , there's no respond, I mean, I check redice's role, but the System Administrators is not checked.Any idea about this?Thanks in advance.
View Replies !
Sql Injection
Hi there ! Can anyone put some more lights on SQL Injection ? Is there anyway to get rid of it ? If yes then please let me know ? With Thanks ! sqlboy
View Replies !
SQL Injection
Does anyone have any insight regarding SQL injection involving a table name t_jiaozhu? Is this a new hack script or old? I am having a hard time finding any clear details other than ways to stop injection from happening. This I know, what I am trying to figure out is what damaged may have been caused (worse case) and what would be a good plan of attack to figure out what steps suceeded/failed.
View Replies !
SQL Injection
I want to inject a "where" criteria parametrically, but I can't get this to work: CREATE PROCEDURE dbo.CopyTestCases @Criteria varchar(255) AS declare @t table(NID int not null); set transaction isolation level serializable; begin tran; insert into TestIT (Product,CatID,Category,Title) output inserted.TestID into @t( NID) select Product,CatID,Category,Title from TestIT where @Criteria order by TestID; commit; GO I get the message "An expression of non-boolean type specified in a context where a condition is expected". How do I fix this?
View Replies !
SQL Injection
I have a windows 2003 server with SQL Express 2005. The server has about 15 websites and uses ASP Hackers somehow are creating NT Administrator Users on the server and then logging in with Terminal Services. I ran thru SQL injection and tried to stop these attacks by stopping keywords in the SQL, but they still happen Can anyone help, I really cant afford to pay for a security analyst so any advice would be nice. How are these guys creating users? thanks Nick
View Replies !
RS And SQL Injection
A new take on my question from yesterday: Does RS do any checks for SQL Injection attacks or is that entirely up to the developer? i.e. if I have a report that uses dynamic SQL and pass in parameters via the web service are these parameters checked in any way?
View Replies !
SQL Injection
I haven't been able to get a clear-cut answer on this so I decided to ask here. I have developed a web application that is used as a front-end to many SQL reports using report viewer. The authentication on the front end uses a stored procedure to match the login name and password. However, many of my reports do NOT use stored procedures. They are just standard text queries. Is this secure? I don't know much about SQL Injection. Could an attacker see all of the data in the database?
View Replies !
SQL Injection
Hi there. I use MS Enterprise library to get access to my MSSQL database. All actions are performed by stored procedures. Should I check the input parameters for "bad" symbols such as ' or union words or the library do all this for me? Thanks.
View Replies !
We Were Injection Attacked, What Now?
One night over the last week someone successfully found a hole in a line of code in an ASP.NET website and was able to run an injection script against our database. I know, I know, stupid stupid stupid of us, but the breach was in an old app and an old database that we hadn't really taken a look at in a while, hence the one hole they found. This script from what I can tell was able to get a list of the databases on the server and attempted to iterate through all of them. The login they seized only had permissions for two db's so that's all they could access, but I'm still very scared about what they could have done with that login. I don't see any data loss, but they definitely dumped the contents of all tables, some of which contained some sensitive information. That information was encrypted but I'm not sure how much better that makes me feel. So my questions 1) Since the user account they seized was the DBO on the database, what types of things might they have been able to do in the hour or so they were poking around other than run select statements. I know the account had update and delete permissions, although they didn't delete anything. My guess is they didn't want to tip us that they were in so they left the data intact. 2) How should we investigate the health of the DB and the server, to make sure they didn’t insert any scripts that are monitoring or reporting on data. 3) With DBO login access could they have messed with any system tables or settings? 4) Would DBO access allow them to read DB passwords? We’ve changed all of them already but I’m still concerned. OK, so I’ll stop asking questions because obviously any help you can provide would be awesome. Thanks so much.
View Replies !
Datasets And SQL Injection
I have become a big fan of the datasets in Visual Studio 2005. I usually create the SQL for each method in the table adapter; however, I am wondering if there is any 'built-in' functions in the C files for sql injection prevention? I have read that using stored procedures is a good method for prevention. Should I be using SP rather than SQL within my methods in the data table?
View Replies !
SQL Injection Attacks
Hello, Our Security specialist, is running an audit on one of my systems. All pages pass except the login page. It keeps saying I am getting hit with a SQL injection attack. I filter out special characters, both on the Client Side validation and the server side.It is only the one page I have is failing, and I am beginning to wonder if it is producing false positives.Protected Sub btnLogin_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnLogin.Click If Not Page.IsValid Then lblError.Text = "Page Invalid" Exit Sub End If Dim strMesage As String = "" If Not IsInputSanitized(strMesage) Then lblError.Text = strMesage Exit Sub End If If Not ValueIsValid(txtUserName.Value.Trim) Then lblError.Text = Globals.Message_InvalidCharacters Exit Sub End If Public Function IsInputSanitized(ByRef p_strReturnMessage As String) As Boolean Dim loop1 As Integer Dim arr1() As String Dim coll As NameValueCollection Dim regexp As String = "^([^<>" & Chr(34) & "\%;)(&+]*)$" Dim reg As Regex = New Regex(regexp) coll = Request.Form arr1 = coll.AllKeys 'Start at 1 so you will skip over the __VIEWSTATE For loop1 = 0 To UBound(arr1) 'Skip over the ASPNET-generated controls as they will give a false positive. If Left(coll.AllKeys(loop1), 2) <> "__" Then If Not reg.IsMatch(Request(arr1(loop1))) Then p_strReturnMessage = Globals.Message_InvalidCharacters Return False End If End If Next loop1 'If it never hit false retrun true p_strReturnMessage = "Success" Return True End Function If Not ValueIsValid(txtPassword.Value.Trim) Then lblError.Text = Globals.Message_InvalidCharacters Exit Sub End If If Not ValidateUser(txtUserName.Value.Trim, txtPassword.Value.Trim) Then lblError.Text = Globals.Message_LoginInvalid End If End Sub Here are the other validation routines 'This is a check to make sure that the String Values Entered into the Database field 'are indeed valid and without characters that can be used in injection attacks Function ValueIsValid(ByVal p_Input As String) As Boolean Dim strIn As String = p_Input Dim x As Integer Dim A As String Dim l_Return As Boolean = True For x = 1 To Len(strIn) A = Mid(strIn, x, 1) 'Check each character in the string individually If InStr("<>+%|?;()", A) <> 0 Then 'If this is not a "Bad" character l_Return = False 'tack it onto the output string End If Next Return l_Return End Function
View Replies !
Protecting From SQL Injection
Hello, I am building a website in ASP.net 2.0 and I want to protect my self from sql Injection. I am half way there in that I have built my own class that I use to check any input to the Database from a textbox (or user input) for specific characters that cause trouble, such as the “ ‘ � or “;� it then converts them to my own code for example “ ’ � = |^| the same function will convert my “code� back to the original character which works great until I get to Gridviews and Forum View. Does anyone know how I would access the class I created through the gridview and formview so that any info they display gets first translated through my class. Or if that is not possible how I would set the grideview or formview to translate the “codes� for me. If I am totally off track here and there is a much better way to do all this then I am all ears. Please keep in mind I will require the “bad� characters to be saved in some way shape or form. Thanks
View Replies !
SQL Injection - How To Prevent It?
I am building my first ASP.Net app from scratch and while working on the DAL I came across the problem of SQL Injection. I searched on the web and read different articles but I am still unsure about the answer. My question is should I add db.AddInParameter(dbCommand, "AvatarImageID", DbType.Int32, avatarImageID); Add in Parameters to my C# code to avoid SQL Injection. What is the best practice. I am unclear if the stored procedure already helps me avoid SQl Injection or if I need the add in parameters in the C# methods to make it work. I need some help. Thanks, Newbie My C# update method in the DAL (still working on the code) private static bool Update(AvatarImageInfo avatarImage) { //Invoke a SQL command and return true if the update was successful. db.ExecuteNonQuery("syl_AvatarImageUpdate", avatarImage.AvatarImageID, avatarImage.DateAdded, avatarImage.ImageName, avatarImage.ImagePath, avatarImage.IsApproved); return true; } I am using stored procedures to access the data in the database. My update stored proc set ANSI_NULLS ON set QUOTED_IDENTIFIER ON GO ALTER PROCEDURE [dbo].[syl_AvatarImageUpdate] @AvatarImageID int, @DateAdded datetime, @ImageName nvarchar(64), @ImagePath nvarchar(64), @IsApproved bit AS BEGIN -- SET NOCOUNT ON added to prevent extra result sets from -- interfering with SELECT statements. SET NOCOUNT ON; BEGIN TRY UPDATE [syl_AvatarImages] SET [DateAdded] = @DateAdded, [ImageName] = @ImageName, [ImagePath] = @ImagePath, [IsApproved] = @IsApproved WHERE [AvatarImageID] = @AvatarImageID RETURN END TRY BEGIN CATCH --Execute LogError SP EXECUTE [dbo].[syl_LogError]; --Being in a Catch Block indicates failure. --Force RETURN to -1 for consistency (other return values are generated, such as -6). RETURN -1 END CATCH END
View Replies !
SQL Injection Problem
Hi everyone,it is the first time i try to do the sql injection. and i got the problem for the following code. Dim strSQL as String = ""Dim objConnection as New oleDBConnection(getConnectionString("image check list"))strSQL = " insert into tblTest (id, text) value ( 1, @Text)"cmdSelect.Parameters.Add(New SQLParameter("@Text", "abc"))Dim objDataAdapter As New oleDBDataAdapter(strSQL, objConnection)Dim objDS As New DataSet()objDataAdapter = NothingobjDS = Nothingthe exception said i have problem in "cmdSelect".i am using SQlServer as the data store.http://aspnet101.com/aspnet101/tutorials.aspx?id=1 => this is the reference site i read.Anyone can help?thanks a lot!
View Replies !
SQL Injection Question
Hi, i have a big question about SQL injections,Im deploying a web site, and im using strore procedures, the store procedures recives the query parameters and then execute the query, that i already defined in them.I pass the store procedure´s name and their parameters via a sql statement adding the parameters to the string chain. The string chain is something like this: string sql = ("EXEC sp_StoreProcedure1 ' " + param1 + " ' + ' " paramN" ' )i define the store procedure´s name and the parameters in the string, and then i send the string to execute.My questions are,is there some kind of potential issue or attack that it can happens if i made the queries in this way?? is my database secure of sql injections just beacuse the use of store procedures???thanks for ur answers! ill appreciate them a lot
View Replies !
SQL Injection - Is This Correct
Hi, I'm building a web application in which I want to prevent SQL injection. I'm using stored procedures, and using queries on my app like this:in my database...create proc createStudy@title varchar(200),@text textasinsert into studies values(@title,@text)goand in my web app...query="createStudy '"+titleBox.Text+"','"+textBox.Text+"'"; //title and text boxes are textboxes, createStudy is a stored procedure in my databaseodmccommand cmd = new odbccommand(query,con);con.Open();cmd.ExecuteNonQuery();But before this I do this code:if (titleBox.Text.Contains("Drop") || titleBox.Text.Contains("Delete")) messageLabel.Text="No permissions to do that";else(...my code)Is this ok to prevent SQL injection?!?
View Replies !
|
TRACKER
