|
Instead of using string concatenation to build the SQL statement, use parameterized queries instead. Search the articles for "SQL Injection" for examples and why it is a VERY good idea to do so. Your code, as it is now, is very broken, even though it "works".
|
|
|
|
|
Why is his code "very broken" from a "SQL Injection" standpoint? He is working with an Access MDB, and even if his UserID was being passed as a string, you can not concatenate queries in Access, so that does not seem to be an "injection" concern. And, since UserID is actually being passed as an integer, I do not see how a nefarious user would be able to sneak an 'Or' conditional into the where command that will automatically make the result True. What is the 'SQL Injection' issue I am missing in his query?
The potential problem I see with this code is that if 'Password' can contain single quotes, he is not escaping those single quotes in the query being built, and that would create a syntax error. Now parameterized queries would resolve that potential issue, but that can also be handled easily with a Replace statement, and without the use of parameterized queries.
|
|
|
|
|
paas wrote: if his UserID was being passed as a string, you can not concatenate queries in Access
Excuse me, but what do you think he was doing in his code? That is EXACTLY string concatentation, building a query by piecing together strings! And YES, this is a HUGE injection concern. There data being fed is is, most likely, not being scrubbed, so it cannot be trusted to get copied directly into an SQL query.
And I suggested searching the articles for "SQL Injection" because there is a very good article on SQL Injection attacks AND, at the point of the question, it shows many examples of using parameterized queries.
paas wrote: And, since UserID is actually being passed as an integer, I do not see how a nefarious user would be able to sneak an 'Or' conditional into the where command that will automatically make the result True.
The UserID was being passed in as an integer, but, if you go back to his posted code, the password was not. What is the password entered started with a "'" character?? I'll leave it up to you to do the very same search I told the OP to do, and read the articles as to why this is a very bad practice.
paas wrote: but that can also be handled easily with a Replace statement, and without the use of parameterized queries.
An insufficient technique that only targets a single attack. This is another bad technique that employs the equally bad philosophy of "enumerating badness". Google that little phrase and you'll see what I mean.
|
|
|
|
|
How I can Use use parameterized queries.
This Query Which i am Useing That is workin with SQL Databse, But not with Acces Database, With Access Database Only Select Query is Running, Not Others.
When Programe is gon on cmd.ExecuteNonQuery() then give ERROR "Syntax Error in Update Statement"
Thanks & Regards
Form :-
Vikash Yadav
|
|
|
|
|
Well, there's nothing obviously wrong with the syntax, unless your database have the proper table and field names to match what's in the statements. You may want to try replacing the single quotes (') in the statement with double quotes (") and verifying the table and field names.
|
|
|
|
|
Dave is right,with the code like this you will be exposed to SQl Injection.
When i installed VS i did not install VB.NET , so i will try to show you how to do it i C# you can easly convert it to vb.net
first you need to create a Stored Procedure like this
Create PROC prc_Update
(
@Password varchar(40),
@UserID int
)
AS
Update tblLogin
set Password=@Password
where UserID =@UserID
now regarding the ID, you must find another way, mybe use a username,but you have to make sure there is no Duplicate username because you might end up updating wrong records
and your C# or VB.NET should look like this
String strcon = ConfigurationManager.AppSettings.Get("MYConnectionstring");
SqlConnection con;
SqlCommand cmdupdate;
public int Update_Password(String Password,int id)
{
con = new SqlConnection(strcon);
cmdupdate = new SqlCommand();
cmdupdate.CommandText = "dbo.prc_Update";
cmdupdate.CommandTimeout = 0;
cmdupdate.CommandType = CommandType.StoredProcedure;
cmdupdate.Parameters.Add("@Password", SqlDbType.VarChar, 40).Value = Password;
cmdupdate.Parameters.Add("@UserID", SqlDbType.Int, 4).Value = id;
cmdupdate.Connection = con;
int Results = 0;
try
{
con.Open();
Results = cmdupdate.ExecuteNonQuery();
}
catch (SqlException)
{
throw;
}
finally
{
con.Close();
}
return Results;
}
Lastly you must stop feeding the database wrong info.The Data types and demension should be the same and you will not have any Problems
Hope you get an idea
Vuyiswa Maseko,
Few companies that installed computers to reduce the employment of clerks have realized their expectations.... They now need more and more expensive clerks even though they call them "Developers" or "Programmers."
C#/VB.NET/ASP.NET/SQL7/2000/2005/2008
http://www.vuyiswamaseko.tiyaneProperties.co.za
vuyiswam@its.co.za
|
|
|
|
|
sir i started a voluntary blood donors information service. im in need of an application with which i can maintain the database.so can anyone of you make it for me? i will be very thankful to you. the application must contain following fields.
Donor ID
Donor Name
Blood group (must be like a drop down menu with blood groups)
Address
Last blood donated date
phone no
mobile no
date of birth
and in the application there should be a search button with which i can search for a person with a particular blood group.and it must contain add, edit, save, print and delete fields.
please can anyone do this for me....my work will be a bit faster with this one. the application must be simple without installing any extra softwares like dot net,ms access, sql, etc,.
thanks in advance.
regards,
Neetu.
|
|
|
|
|
People are here happy to help if you are stuck in somewhere while developing but nobody is free to give you the source code or write a whole application for you. If you need such service you can ask this[^] and this[^] people.
By the way why don't you start the project by yourself and if you are stuck then you can always comeback and ask here.
|
|
|
|
|
hi thank you so much for the suggestion.even I'm tired of asking people who are great programmers about my little application.but they dont have any time for this small one. so I was thinking of learning visual basic and prepare a good small application for myself. as I'm a beginner if I get any doubts will surely ask you people.
thank you.
|
|
|
|
|
If you concider .NET to be excess software, you're in the wrong forum :P
|
|
|
|
|
neetu149 wrote: sir i started a voluntary blood donors information service
I hope that doesn't mean you're collecting blood with the competence you're showing here.
I am assuming you have the best of intentions ( that is, that you're trying to create something for a free service, and that this is why you're in over your head ). However, no-one is going to write this for you, and statemetns like:
neetu149 wrote: . the application must be simple without installing any extra softwares like dot net,ms access, sql, etc,.
show that you are really very lost.
1 - you cannot write a VB app without .NET
2 - you need a database for what you're doing, and SQL Server Express is free.
I suggest if you're serious that you buy a book driven to data centric development in .NET and work through it. If you ask specific questions, we'll be more than happy to help you.
Christian Graus
Driven to the arms of OSX by Vista.
|
|
|
|
|
Christian Graus wrote:
I hope that doesn't mean you're collecting blood with the competence you're showing here.
For the win!
Any suggestions, ideas, or 'constructive criticism' are always welcome.
"There's no such thing as a stupid question, only stupid people." - Mr. Garrison
|
|
|
|
|
thank you so much for the help. I started learning visual basic and it is not very hard as I thought and I can make my application in a few days.
thank you so much.
|
|
|
|
|
I feel bad for the hospital about to get this software...
|
|
|
|
|
neetu149 wrote: the application must be simple without installing any extra softwares like dot net,ms access, sql, etc,.
Sure if you send me your address I'll send you a piece off paper and a pen.
|
|
|
|
|
Duuuuh thats installing extra software. FAIL!
|
|
|
|
|
thank you so much you have given me a good answer surely im in need of a pen and paper, as I started learning visual basic and in a few days I'm confident that I can prepare the application of my own..
thanks
|
|
|
|
|
How can I change my IP with New IP
|
|
|
|
|
|
Changing your IP is not as easy as 1, 2, 3. You will have to call up your ISP and request a static IP. Most of the time, they dynamically assign you one based on their allocation. Have fun!
Ranjit Viswakumar
Professional Services Specialist
http://hostmysite.com/?utm_source=bb
|
|
|
|
|
I use this and work only static IP. I use DOS command
Public Class Form1
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
If RadioButton1.Checked Then
If Dir("C:\home.txt") <> "" Then
Shell("cmd.exe /c netsh -f c:\work.txt", vbHide)
MsgBox("Успешно приложихте Интернет настройки за дома")
Else
MsgBox("Нямате архивирани настройки за Интернет в къщи, моля първо ги създайте от менюто Архивирай настройки")
End If
End If
If RadioButton2.Checked Then
If Dir("C:\work.txt") <> "" Then
Shell("cmd.exe /c netsh -f c:\home.txt", vbHide)
MsgBox("Успешно приложихте Интернет настройки за работа")
Else
MsgBox("Нямате архивирани настройки за Интернет на работа, моля първо ги създайте от менюто Архивирай настройки")
End If
End If
End Sub
Private Sub ЗаИнтернетУДомаToolStripMenuItem_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles ЗаИнтернетУДомаToolStripMenuItem.Click
Shell("cmd.exe /c netsh -c interface dump > c:\home.txt ", vbHide)
MsgBox("Успешно прехвърлихте текущите настройки на интернет у дома")
End Sub
Private Sub ЗаИнтернетНаРаботаToolStripMenuItem_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles ЗаИнтернетНаРаботаToolStripMenuItem.Click
Shell("cmd.exe /c netsh -c interface dump > c:\work.txt ", vbHide)
MsgBox("Успешно прехвърлихте текущите настройки на интернет на работа")
End Sub
Private Sub RadioButton2_CheckedChanged(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles RadioButton2.CheckedChanged
End Sub
End Class
|
|
|
|
|
how to enhance the look or format of forms
|
|
|
|
|
|
how to draw line in menubar in vb
|
|
|
|
|
Its called Separator. You can add the menu separator by right clicking the MenuStrip->Insert->Separtor.
modified on Saturday, February 7, 2009 5:35 PM
|
|
|
|
|