Protect From SQL Injection?
Hi,
Just read about SQL injection, and tested it out with sample database, and it does hack my database, the article show to prevent SQL injection by using application code to remove those keywords and change single quote to double quote, is there any method to prevent SQL injection directly using the database system itself, maybe stored procedure or anything?
Thanks.
View Complete Forum Thread with Replies
Related Forum Messages:
Sql Injection - Are Parameters Enough To Protect You.
Hi all,I have been learning .net and creating a public facing site. I am therefore worried about SQL injection.My question is...Is enclosing customer input inside .net SQLParameters enough to protect you from SQL injection?If not why not?I have seen people saying that SQLParameters alone is not enough but not an explanation why?Can anyone help?If I use code to remove words like drop or characters like '%' I'm limiting what my users can enter, but if I have to I will. taC
View Replies !
How To Protect From SQL Injection In ASP.NET And SQL 2005 For Custom Query Expression?
How to Protect From SQL Injection in ASP.NET and SQL 2005 for custom query expression?In my project, I allow user to custom query expression through UI, such asstring queryCondition=' sale>20 and sale <100'string queryCondition=' createDate>"10/10/2005"'string queryCondition='Fullname like "%Paul%" '...I construct SQL based the queryCondition string, such as string mysql='select * from mytable where '+queryConditionI know it's very dangerous because of SQL Injection, but it's very convenient for user to custom query expressionCould you tell me how to do? many thanks!
View Replies !
Protect Data From DBA
Hi all, We have sql server 2000 on Windows server 2003.Is there anyway in sql server 2000 to protect some crucial data, even from the DBA. Thanks in advance...
View Replies !
Protect SQL 7 Data From IS
My client maintains its HR data in an application that uses Oracle as its backend. This highly-sensitive data is basically off limits to all but a select few. Presently, I use a program in Access 97 that allows one high level HR person to pass their login to linked Oracle tables and copy a large chunk of this data to Access tables. From there I can morph it as needed for the Personnel, Safety, EEOC and other areas. The client sees this PW-protected, encrypted Access DB as safe because, being "only an Access DB", it falls below the radar of IS. This basically means IS can't get to the data. However, accessibility and scalability are non-existent. I'd like to reduce the Access DB to a shell that simply links to Oracle and SQL Server 7 tables and performs a straight pipe of the raw data between DBs. However, now IS will be very interested (since it's SQL 7) and have Admininstrator rights, therefore causing the HR people to squash the deal. How can I lock SQL 7 up so tight that IS can't get to the data and yet be able to maintain the DB? If this is not feasible, are there any other options that might provide a solution?
View Replies !
How To Protect My Parameters
Hello. I have a report with parameter called "parm1", that gets a value of "true" or "false" depanding on another parameter. When the report is runnig the parm1 value is "false". How can I protect this parameter from a change by the user? I mean - the user can run the report and then add to the url "¶m1 = true". Can I do anything against that? I tried marking it as "internal" and I thought that now it can get his value only from inside the report but it didn't worked. Any ideas? Thanks.
View Replies !
How Can I Protect My Parameters
Hello. I have a report with parameter called "parm1", that gets a value of "true" or "false" depanding on another parameter. When the report is runnig the parm1 value is "false". How can I protect this parameter from a change by the user? I mean - the user can run the report and then add to the url "¶m1 = true". Can I do anything against that? I tried marking it as "internal" and I thought that now it can get his value only from inside the report but it didn't worked. Any ideas? Thanks.
View Replies !
Password-Protect DTS Packages
When one uses the DTS wizard, the developer has the option to password-protect the package. I find this to be very useful. I was wondering how to password-protect packages that are not protected? Thanks in advance.
View Replies !
Protect Intellectual Property
Dear All, How is it possible to protect the Intellectual property for a integration / analysis project? For instance if I build a complex solution €“ how do I avoid others to view and copy the solution. Best Regards, T
View Replies !
About Database And Table Protect
hello, We wrote an erp,and provide a platform to participator to extend my erp system,so I will give my participator database dictionary,but I only want to give partial database dictionary,I will hide some table and some field, I want they cann't open the database thouth sql server management studio or other tools,only can using our interface to access database,how can I do? -- I use sql server 2005
View Replies !
How To Protect Data Of One Table?
I have a DB on my SQL Server Express 2005. In this db I have one table and I DON'T want any user can modify data on this table but I want only show this data (only select statements allowed). If I install this db on one of my customers' machine, I can see that he can modify data into this table If he log in into the database with windows authentication and not with the "USERLOGIN" that I have created with sql server authentication. What can I to to remove dbo access in Windows authentication in my db and "transfer" the dbo in another user access (like MYUSER with Sql Server authentication)? Thank You Mirko
View Replies !
How To Protect DataBase Using Password?
I want only SQL Server Authentication not Windows Authentication Because If some one copy database and attach at some other place using Windows Authentication then they can see each and everything. I want something like Access (I know its password can be broken very easily) I want to protect Table & SP Schema, Data is not much important. Its urgent
View Replies !
HOW CAN I PROTECT SQL DB IN AN EXISTING SERVER?
Dear Colleagues, I have designed a Microsoft SQL Server 2005 database application using Visual Basic 2005. I want to control access to the database programmatically, without the End-User opening the database in SQL Server. I want to protect the database structure such as my tables, code, etc. This restriction should include all the Administrators of the Computers on which my application will be deployed. Any modification of my database or code should be implemented only by me. What is the best way to do this using (a) Windows Authentication Login? (b) SQL Server Login? How do I configure the User-Login? NEW: In addition to above question, how best do I achieve this protection if installing the DB with other databases in an already existing server, is it possible to remove the Builtin Admin from the server role?? As in my case, there is no need for anyone else to open the DB in Management Studio at all as my VB application does all that is required. Thanks and best regards, Peter
View Replies !
How To PROTECT SQL Server Database Files ?
Hello,How to protect structures(Tables,SP,Views and Functions) of a SQLServer Database?(Password protect a database file)I have a SQL database that will distribute with my application, I wantto protects it's structure from my appliction users. Only myapplication can access the database.Thanks
View Replies !
Tables Protect In Sqlserver 2000
I have some tables in the employee database, this database created from sql sever 2000. I build a employee management application by C# and sqlserver 2000. My goal is after design complete the empployee database by sqlserver 2000, any users can not modify my tables and unkonw table's structure. help me please thanks and reagards
View Replies !
How To Protect A Frequently Real Time DB
Hi Everybody: We have a table which needs to be updated 2 million times per day. It hosts all real time transaction. There are 200K records in this table. Would you please to share your experience with me about how to protect/save such table in SQL 2000 from any possible damage? We plan to use point-in-time backup (every 5 minutes). It still takes at half an hour to recover the whole database. Any new technology from Microsoft or SQL 2000 you can recommend? Thank you very much. Joan
View Replies !
How To Protect Encrypted Data When DB Is Stolen
I got a problem concerning encryption. The thing is I have decided to use symmetric key protected by certificate to encrypt certain information. Certificates are protected by database masterkey and by service key. But I also want to be sure that if someone steals my database with all its data he wont be able to decrypt it with his own SQL Server Management Studio where he has all the permissions. Also after some time I will need to take my database and set it up on another PC. Has anyone ideas how to solve this?? P.S. As far as I know if symmetric key is protected by certificate which is protected by DB master key and service master key then you cant decrypt data if database is moved to another workstation and opened with another Management Studio. Please can anyone explain how this works( if its true). And if this is true then how can i move my DB without loosing access to encrypted data???
View Replies !
Creation Of Credentials And Certificates To Protect A DB
Hi, i want to know if its posible to create credentials or certificates in order to protect a SQL 2005 data base. Because if someone Buckups one of my DBs from my server, and try to restore it in orther server i dont want they to see my DB information because he dont have the correct credentials or certificates for it. This is posible?. if is, How i do it ? Best Regards.
View Replies !
How Do I Protect Access Database (MDB File)?
I have developed a small desktop application using c# and Ms Access 2002. Database is password protected and contains sensitive data. As many password retrieval tools are available, What should I do to protect Ms-Access (.MDB ) file? Is there any way through which I can hide database file
View Replies !
How To Protect Errorlogs To Tables From Rollbacks
Hey! This post contains the code for this thread: http://www.sqlteam.com/Forums/topic.asp?TOPIC_ID=14475 It deals with the problem how to prevent log actions in long running batch jobs from being rolled back. It was heavily inspired by Andy Pope´s approach to error handling (http://www.sqlteam.com/item.asp?ItemID=2290) and in fact you will see much of his code here. The code: This procedure dynamically opens a second connection in parallel to the existing connection of the calling procedure using SQL-DMO. So the second connection runs without the scope of transaction of the calling procedure. So no action you take here is rolled back in case the calling proc fails. So be careful! Keeping data integrity is your job here and you could do many weird things to your database. The procedure dynamically adds a user function that if called just would return the object token of the new DMO connection. So any piece of code in the same batch could reuse the exisiting connection. LogConstructor CREATE PROCEDURE LogConstructor AS if exists (select * from sysobjects where id = object_id (N'dbo.MFF_GetLogObject') and OBJECTPROPERTY(id, N'IsScalarFunction') = 1) drop function dbo.MFF_GetLogObject DECLARE @Error INT DECLARE @ErrorMsg VARCHAR(255) DECLARE @oSQLServer INTEGER DECLARE @Source VARCHAR(255) DECLARE @Return INTEGER declare @dynsql nvarchar(3000) -- Create the SQLServer object EXEC @Error = sp_OACreate 'SQLDMO.SQLServer', @oSQLServer OUT IF @Error <> 0 GOTO OA_Error -- Set the login process to use NT Authentication EXEC @Error = sp_OASetProperty @oSQLServer, 'LoginSecure', -1 IF @Error <> 0 GOTO OA_Error -- Connect to server using NT Authentication EXEC @Error = sp_OAMethod @oSQLServer, 'Connect', NULL, @@SERVERNAME IF @Error <> 0 GOTO OA_Error -- Verify the connection EXEC @Error = sp_OAMethod @oSQLServer, 'VerifyConnection', @Return OUTPUT IF @Error <> 0 GOTO OA_Error IF @Return = 0 GOTO OA_Error -- Create Function with server object select @dynsql = N'CREATE Function MFF_GetLogObject () RETURNS INT AS BEGIN RETURN ' + cast(@oSQLServer as varchar) + N' END' EXEC sp_executesql @dynsql return OA_Error: -- Get the error text EXEC sp_OAGetErrorInfo @oSQLServer, @Source OUT, @ErrorMsg OUT SELECT @ErrorMsg = CONVERT(CHAR(16), @Error) + ': ' + @ErrorMsg + ' (Source: ' + @Source + ')' print @ErrorMsg return GO The next procedure just drops the DMO connection and also drops the user function as the token is invalid by now. This proc should be called within the same batch as the constructor to clean things up properly. LogDestructor CREATE PROCEDURE MFP_LogDestructor AS declare @lo int select @lo = dbo.MFF_GetLogObject() exec sp_OADestroy @lo if exists (select * from sysobjects where id = object_id(N'dbo.MFF_GetLogObject') and OBJECTPROPERTY(id, N'IsScalarFunction') = 1) drop function dbo.MFF_GetLogObject GO
View Replies !
Protect Data And Schema SQL SERVER 2005 EXPRESS
We have a commercial VB.NET winforms client/server application that utilizes SQL Server 2005 express edition. The schema and data that the application utilizes is proprietary and could be very damaging if it got into a competitors hands. Is there any way to protect the data and schema of a sql server 2005 express edition database? Will this functionality ever be added? Thanks
View Replies !
Problem Using DPM 2007 To Protect SQL 2005 On Server 2008
I have a problem protecting a SQL 2005 SP2 server on Windows Server 2008 (64bit), running DPM 2007 on Windows Server 2003 (32 bit). The following SQLVDI event ID 1 is logged in the event viewer: SQLVDI: Loc=SVDS:pen. Desc=BADMEM. ErrorCode=(-1). Process=2972. Thread=6504. Server. Instance=MSSQLSERVER. VD=Global{CC60D260-C5DD-406A-9E63-64A9503A9763}1_SQLVDIMemoryName_0. The UUID changes each time the event is logged, but the first event is followed by: SQLVDI: Loc=SVDS::Cleanup. Desc=Close(channel). ErrorCode=(6)The handle is invalid. . Process=2972. Thread=6504. Server. Instance=MSSQLSERVER. VD=Global{CC60D260-C5DD-406A-9E63-64A9503A9763}1_SQLVDIMemoryName_0. Then this is repeated twice: SQLVDI: Loc=SVDS::Cleanup. Desc=Close(channel). ErrorCode=(6)The handle is invalid. . Process=2972. Thread=6504. Server. Instance=MSSQLSERVER. VD=. Event ID 3201 is then logged by MSSQLSERVER: Cannot open backup device '{CC60D260-C5DD-406A-9E63-64A9503A9763}1'. Operating system error 0x80770006(error not found). This is followed by Event ID 3041: BACKUP failed to complete the command BACKUP DATABASE CommunityServer. Check the backup application log for detailed messages. It looks to me like the virtual device creation fails in the first step, the next three event messages are the cleanup of the failed virtual device, and the final two messages are the failed SQL backup as the expected device doesn't exist. My question is why? The message seems to indicate bad memory, but I'm sure the physical memory is good - The 16GB in this server has been tested extensively, and I have no other issues. Perhaps its some sort of memory allocation error? I'm going to apply cumulative update 7 to this SQL server to see if it makes a change. What's the latestest version of sqlvdi.dll available? TIA, Karl.
View Replies !
SQL Injection
I manage a VBSript/ASP/IIS/SQL website for a nonprofit, and our website has been hacked by SQL injections. I have changed the code on the website so it can't access the database, cleaned the database, backed up the database, but now need to find a way to tighten up the security so it won't happen again. We're a non-profit- so the server is Windows 2000 Terminal SP4 (yeah, I know, it's old, bear with me). I was using the following code to access the database from the website: dbconn.open "DSN=cptigers;UID=sqlwebaccess;Password=password" (where cptigers is the name of the DSN connection with SQL server authentication). So far, I've removed read permission in IIS on the include file that I use to open the database. I've changed the data source to use Windows NT authentication, and set the SQL login MDBCA/cptigers (this is the IIS login) to have public and db_denydatawriter roles. But I'm not sure how to call this database connection in the code (how do you define the IIS user and password?), and not sure if this is sufficient to protect from future SQL injections. Am I heading the right direction? Thanks, Amanda
View Replies !
SQL Injection
What is the best way to avoid SQL injection?I know not to do stuff in Visual Basic such as... Dim objCmd As New SqlCommand("SELECT * FROM mytable where id ='" & Request.QueryString("id") & '" , objConn)As it's best to use stored proceduresIs there any other problems you guys might have had happen to you or other possibilites for attackers that I should know about? Cheers
View Replies !
SQL Injection Bug
This is my code: CommandText = "SELECT * FROM Products" If textboxStockID.Text.Length > 0 Then CommandText = CommandText & " where [StockID] like '%" & textboxStockID.Text & "%'" End If Is this subject to the sql injection bug... if so, what changes do I need to make? Canning
View Replies !
SQL Injection ???
Hi All, First explain the SQL Injection and how it working and second what is the Solution of SQL Injection..... ? Thanx, Shally
View Replies !
Help On SQL Injection...
Hi All:I can't seem to get this thing work... When I type this in a textbox : '; exec master.dbo.sp_addsrvrolemember 'redice','sysadmin' -- , there's no respond, I mean, I check redice's role, but the System Administrators is not checked.Any idea about this?Thanks in advance.
View Replies !
Sql Injection
Hi there ! Can anyone put some more lights on SQL Injection ? Is there anyway to get rid of it ? If yes then please let me know ? With Thanks ! sqlboy
View Replies !
SQL Injection
Does anyone have any insight regarding SQL injection involving a table name t_jiaozhu? Is this a new hack script or old? I am having a hard time finding any clear details other than ways to stop injection from happening. This I know, what I am trying to figure out is what damaged may have been caused (worse case) and what would be a good plan of attack to figure out what steps suceeded/failed.
View Replies !
SQL Injection
I want to inject a "where" criteria parametrically, but I can't get this to work: CREATE PROCEDURE dbo.CopyTestCases @Criteria varchar(255) AS declare @t table(NID int not null); set transaction isolation level serializable; begin tran; insert into TestIT (Product,CatID,Category,Title) output inserted.TestID into @t( NID) select Product,CatID,Category,Title from TestIT where @Criteria order by TestID; commit; GO I get the message "An expression of non-boolean type specified in a context where a condition is expected". How do I fix this?
View Replies !
SQL Injection
I have a windows 2003 server with SQL Express 2005. The server has about 15 websites and uses ASP Hackers somehow are creating NT Administrator Users on the server and then logging in with Terminal Services. I ran thru SQL injection and tried to stop these attacks by stopping keywords in the SQL, but they still happen Can anyone help, I really cant afford to pay for a security analyst so any advice would be nice. How are these guys creating users? thanks Nick
View Replies !
RS And SQL Injection
A new take on my question from yesterday: Does RS do any checks for SQL Injection attacks or is that entirely up to the developer? i.e. if I have a report that uses dynamic SQL and pass in parameters via the web service are these parameters checked in any way?
View Replies !
SQL Injection
I haven't been able to get a clear-cut answer on this so I decided to ask here. I have developed a web application that is used as a front-end to many SQL reports using report viewer. The authentication on the front end uses a stored procedure to match the login name and password. However, many of my reports do NOT use stored procedures. They are just standard text queries. Is this secure? I don't know much about SQL Injection. Could an attacker see all of the data in the database?
View Replies !
SQL Injection
Hi there. I use MS Enterprise library to get access to my MSSQL database. All actions are performed by stored procedures. Should I check the input parameters for "bad" symbols such as ' or union words or the library do all this for me? Thanks.
View Replies !
We Were Injection Attacked, What Now?
One night over the last week someone successfully found a hole in a line of code in an ASP.NET website and was able to run an injection script against our database. I know, I know, stupid stupid stupid of us, but the breach was in an old app and an old database that we hadn't really taken a look at in a while, hence the one hole they found. This script from what I can tell was able to get a list of the databases on the server and attempted to iterate through all of them. The login they seized only had permissions for two db's so that's all they could access, but I'm still very scared about what they could have done with that login. I don't see any data loss, but they definitely dumped the contents of all tables, some of which contained some sensitive information. That information was encrypted but I'm not sure how much better that makes me feel. So my questions 1) Since the user account they seized was the DBO on the database, what types of things might they have been able to do in the hour or so they were poking around other than run select statements. I know the account had update and delete permissions, although they didn't delete anything. My guess is they didn't want to tip us that they were in so they left the data intact. 2) How should we investigate the health of the DB and the server, to make sure they didn’t insert any scripts that are monitoring or reporting on data. 3) With DBO login access could they have messed with any system tables or settings? 4) Would DBO access allow them to read DB passwords? We’ve changed all of them already but I’m still concerned. OK, so I’ll stop asking questions because obviously any help you can provide would be awesome. Thanks so much.
View Replies !
Datasets And SQL Injection
I have become a big fan of the datasets in Visual Studio 2005. I usually create the SQL for each method in the table adapter; however, I am wondering if there is any 'built-in' functions in the C files for sql injection prevention? I have read that using stored procedures is a good method for prevention. Should I be using SP rather than SQL within my methods in the data table?
View Replies !
SQL Injection Attacks
Hello, Our Security specialist, is running an audit on one of my systems. All pages pass except the login page. It keeps saying I am getting hit with a SQL injection attack. I filter out special characters, both on the Client Side validation and the server side.It is only the one page I have is failing, and I am beginning to wonder if it is producing false positives.Protected Sub btnLogin_Click(ByVal sender As Object, ByVal e As System.EventArgs) Handles btnLogin.Click If Not Page.IsValid Then lblError.Text = "Page Invalid" Exit Sub End If Dim strMesage As String = "" If Not IsInputSanitized(strMesage) Then lblError.Text = strMesage Exit Sub End If If Not ValueIsValid(txtUserName.Value.Trim) Then lblError.Text = Globals.Message_InvalidCharacters Exit Sub End If Public Function IsInputSanitized(ByRef p_strReturnMessage As String) As Boolean Dim loop1 As Integer Dim arr1() As String Dim coll As NameValueCollection Dim regexp As String = "^([^<>" & Chr(34) & "\%;)(&+]*)$" Dim reg As Regex = New Regex(regexp) coll = Request.Form arr1 = coll.AllKeys 'Start at 1 so you will skip over the __VIEWSTATE For loop1 = 0 To UBound(arr1) 'Skip over the ASPNET-generated controls as they will give a false positive. If Left(coll.AllKeys(loop1), 2) <> "__" Then If Not reg.IsMatch(Request(arr1(loop1))) Then p_strReturnMessage = Globals.Message_InvalidCharacters Return False End If End If Next loop1 'If it never hit false retrun true p_strReturnMessage = "Success" Return True End Function If Not ValueIsValid(txtPassword.Value.Trim) Then lblError.Text = Globals.Message_InvalidCharacters Exit Sub End If If Not ValidateUser(txtUserName.Value.Trim, txtPassword.Value.Trim) Then lblError.Text = Globals.Message_LoginInvalid End If End Sub Here are the other validation routines 'This is a check to make sure that the String Values Entered into the Database field 'are indeed valid and without characters that can be used in injection attacks Function ValueIsValid(ByVal p_Input As String) As Boolean Dim strIn As String = p_Input Dim x As Integer Dim A As String Dim l_Return As Boolean = True For x = 1 To Len(strIn) A = Mid(strIn, x, 1) 'Check each character in the string individually If InStr("<>+%|?;()", A) <> 0 Then 'If this is not a "Bad" character l_Return = False 'tack it onto the output string End If Next Return l_Return End Function
View Replies !
Protecting From SQL Injection
Hello, I am building a website in ASP.net 2.0 and I want to protect my self from sql Injection. I am half way there in that I have built my own class that I use to check any input to the Database from a textbox (or user input) for specific characters that cause trouble, such as the “ ‘ � or “;� it then converts them to my own code for example “ ’ � = |^| the same function will convert my “code� back to the original character which works great until I get to Gridviews and Forum View. Does anyone know how I would access the class I created through the gridview and formview so that any info they display gets first translated through my class. Or if that is not possible how I would set the grideview or formview to translate the “codes� for me. If I am totally off track here and there is a much better way to do all this then I am all ears. Please keep in mind I will require the “bad� characters to be saved in some way shape or form. Thanks
View Replies !
SQL Injection - How To Prevent It?
I am building my first ASP.Net app from scratch and while working on the DAL I came across the problem of SQL Injection. I searched on the web and read different articles but I am still unsure about the answer. My question is should I add db.AddInParameter(dbCommand, "AvatarImageID", DbType.Int32, avatarImageID); Add in Parameters to my C# code to avoid SQL Injection. What is the best practice. I am unclear if the stored procedure already helps me avoid SQl Injection or if I need the add in parameters in the C# methods to make it work. I need some help. Thanks, Newbie My C# update method in the DAL (still working on the code) private static bool Update(AvatarImageInfo avatarImage) { //Invoke a SQL command and return true if the update was successful. db.ExecuteNonQuery("syl_AvatarImageUpdate", avatarImage.AvatarImageID, avatarImage.DateAdded, avatarImage.ImageName, avatarImage.ImagePath, avatarImage.IsApproved); return true; } I am using stored procedures to access the data in the database. My update stored proc set ANSI_NULLS ON set QUOTED_IDENTIFIER ON GO ALTER PROCEDURE [dbo].[syl_AvatarImageUpdate] @AvatarImageID int, @DateAdded datetime, @ImageName nvarchar(64), @ImagePath nvarchar(64), @IsApproved bit AS BEGIN -- SET NOCOUNT ON added to prevent extra result sets from -- interfering with SELECT statements. SET NOCOUNT ON; BEGIN TRY UPDATE [syl_AvatarImages] SET [DateAdded] = @DateAdded, [ImageName] = @ImageName, [ImagePath] = @ImagePath, [IsApproved] = @IsApproved WHERE [AvatarImageID] = @AvatarImageID RETURN END TRY BEGIN CATCH --Execute LogError SP EXECUTE [dbo].[syl_LogError]; --Being in a Catch Block indicates failure. --Force RETURN to -1 for consistency (other return values are generated, such as -6). RETURN -1 END CATCH END
View Replies !
SQL Injection Problem
Hi everyone,it is the first time i try to do the sql injection. and i got the problem for the following code. Dim strSQL as String = ""Dim objConnection as New oleDBConnection(getConnectionString("image check list"))strSQL = " insert into tblTest (id, text) value ( 1, @Text)"cmdSelect.Parameters.Add(New SQLParameter("@Text", "abc"))Dim objDataAdapter As New oleDBDataAdapter(strSQL, objConnection)Dim objDS As New DataSet()objDataAdapter = NothingobjDS = Nothingthe exception said i have problem in "cmdSelect".i am using SQlServer as the data store.http://aspnet101.com/aspnet101/tutorials.aspx?id=1 => this is the reference site i read.Anyone can help?thanks a lot!
View Replies !
SQL Injection Protection (C#.NET)
Alright, so I have a basic search function to look through a field in my database which is decided by a query string. <asp:SqlDataSource ID="SqlDataSource1" runat="server" ConnectionString="<%$ ConnectionStrings:DatabaseConnectionString %>" SelectCommand="SELECT * FROM [Employee] WHERE ([Responsibilities] LIKE '%' + @Responsibilities + '%')"> <SelectParameters> <asp:QueryStringParameter Name="Responsibilities" QueryStringField="q" Type="String" /> </SelectParameters> </asp:SqlDataSource> But, I'd really like to fix it using parameterized SQL queries, so that people aren't dropping my tables. >_>I've been lookin' around for some code on how to do this in C#.NET, and most of them seem to look like this: SqlConnection objConnection = new SqlConnection(_ConnectionString);objConnection.Open();SqlCommand objCommand = new SqlCommand( "SELECT * FROM User WHERE Name = @Name AND Password = @Password", objConnection);objCommand.Parameters.Add("@Name", NameTextBox.Text);objCommand.Parameters.Add("@Password", PasswordTextBox.Text);SqlDataReader objReader = objCommand.ExecuteReader(); My problem is that I don't know how really know how to go from my code to this code... I mean, would I throw the latter in my backend code and call what it returns as a string, would I entirely replace my Datasource and do soemthin' with the code? Any help, in the form of tutorials or just straight up tellin' me here, would be greatly appreciated.Thanks. =D
View Replies !
SQL Injection Question
Hi, i have a big question about SQL injections,Im deploying a web site, and im using strore procedures, the store procedures recives the query parameters and then execute the query, that i already defined in them.I pass the store procedure´s name and their parameters via a sql statement adding the parameters to the string chain. The string chain is something like this: string sql = ("EXEC sp_StoreProcedure1 ' " + param1 + " ' + ' " paramN" ' )i define the store procedure´s name and the parameters in the string, and then i send the string to execute.My questions are,is there some kind of potential issue or attack that it can happens if i made the queries in this way?? is my database secure of sql injections just beacuse the use of store procedures???thanks for ur answers! ill appreciate them a lot
View Replies !
|
TRACKER
