|
i got sql injection attach on my website plz help me how can i prevent this
thanks in advance
help as a alias.
Be happy and make others happy.Cheer up...........
|
|
|
|
|
Use parameterised queries or preferably stored procedures for all database access. Properly written this should prevent sql injections.
Bob
Ashfield Consultants Ltd
|
|
|
|
|
on login boxes it would be safer to user the following way to secure parameters
========================
SQLConnection conn = new SQLConnection("connstring");
SQLCommand comm = conn.CreateCommand();
comm.CommandText = "SELECT * FROM Admins WHERE (uname = @uname) AND (password = @passw);";
comm.Parameters.AddWithValue("@uname",TextBox1.Text);
comm.Parameters.AddWithValue("@passw",TextBox1.Text);
conn.Open();
SQLDataReader reader = comm.ExecuteReader();
if(reader.Read())
{
//loggedIn
}else{
//invalid
}
========================
What uyou can also do is convert your text input to lowercase check your text input for SQL expressions such as " * , select, delete, update.
string s = "Input string got from box";
if(s.Contains("select") || s.Contains("*")){
//Possible injection attack
}
Le Roux Viljoen
Web Developer
PCW New Media
South African Branch
www.pcwnewmedia.com
|
|
|
|
|
we already try this
plz give me something more
help as a alias.
Be happy and make others happy.Cheer up...........
|
|
|
|
|
Well if you validated input strings coming from text boxes, there wont be a problem, what you can also do is turn debug off, and make sure that remote debugging is also turned off in your web.config server becuase sql injection is usually not possible without knowledge of the database table names and structure. The oke probably where typing in random query text in these boxes to cause this error like " asas); Delete FROM abc; Select * from abc where(uname = " to expose error messages from the server. becuase that would expose the details of the queried table?
What is the specific case where they broke in ? was it on a login, or when adding comments ?
Also assuming you are working from .net, I recommend that you use the built in login validation and role management that comes with visual studio (.Net 2 and up). It implements the best standards and practises for securing login.
Le Roux Viljoen
Web Developer
PCW New Media
South African Branch
www.pcwnewmedia.com
|
|
|
|
|
It's going to be hard to fix your problems without seeing your source code.
Also, site security is a complex topic, and it's difficult to cover everything necessary on a forum. If you're working on anything that's security critical, and you don't know how to make it basically secure, the best solution would be to hire someone who does (and maybe get them to teach you about what they're doing)
(no offence intended - it's a serious point)
|
|
|
|
|
Oh, and I should just mention - whatever you do - don't post a link to your site after telling the world that it's insecure - it's not likely to help your situation in the short term.
|
|
|
|
|
Good suggestions from the other two replies. Just to expand on the points a bit -
Essentially it comes down to not trusting any input from your users. Any time you're using any user supplied data, you have to make absolutely sure that you don't allow it to be treated it as executable code, or else you are allowing untrusted users to modify the intended behaviour of your application.
This includes when you use user data as part of an SQL query string.
(language dependent, treat this as pseudocode)
For example if you are using an SQL query like
SELECT * FROM Users WHERE UserName='$UserName' AND Password='$Password'
You need to ensure that the $UserName and $Password inputs can not contain any SQL code (or client/server code, but that's another story)
If the $UserName field contains something like "Alan';DELETE FROM Users;INSERT INTO USERS (UserName, Password) VALUES ('Hacker', 'MyEasyPassword');"
Then the rogue user would have been able to delete all your users, and insert a new user with the details he wants. This is far from a worst case scenario, which could potentially include having all your sensitive data stolen, existing data modified in ways that you won't notice, and a system put in place to do further malicious activities - all without you even knowing.
There are several approaches to fix this - mostly previously suggested.
1) Thoroughly validate all your input data. Use a whitelist where possible to specify valid input types, and trim out any code that is in the SQL. This includes server script, SQL, and client script code. This approach can be difficult to get right if you use it on its own.
2) As suggested, use parameterised queries.These are safer, as the DB server should not parse the parameter values for code to execute, however you should still be validating your code (or else you're going to be back here asking about cross site scripting attacks, junk data etc)
3) Use stored procedures. These are different to, but have some of the benefits of parametrised queries, though a lot of crap is talked about them... You still need to validate the data.
Hope that helps.
|
|
|
|
|
help as an alias wrote: how can i prevent this
Read Colin's article on this site about such subject. Very useful.
"The clue train passed his station without stopping." - John Simmons / outlaw programmer
"Real programmers just throw a bunch of 1s and 0s at the computer to see what sticks" - Pete O'Hanlon
|
|
|
|
|
Hi all.
Is is possible to avoid viewing source code of a web page.
i can disable mouse right click... and i want to restrict from menu options also..
is it possible.
Thank you.
siri
|
|
|
|
|
No, no, and no.
If you do disable the right-mouse all you succeed in doing is annoying people, and not restricting anything.
|
|
|
|
|
Bad idea, since if someone really wants your sourcecode they can just click on file and save as, "wholla instant source", or they can go to their web page cache ect. if it javascript you wish to secure from other developers viewing it you can always use a util that takes out indentation making it harder to read, but then again you can just open Notpad 2 and indent it automatically 
Le Roux Viljoen
Web Developer
PCW New Media
South African Branch
www.pcwnewmedia.com
|
|
|
|
|
No.
There's also very little reason to do it. Writing HTML / CSS markup isn't exactly rocket science, and if someone wants to copy the design of your site, they hardly need the source code to do it. Pretty much anything that's sent out from your webserver must be considered publically accessible.
If you're trying to hide the source for application security / authentication reasons then you have more serious problems. Don't do this under any circumstances. Please.
|
|
|
|
|
If you want to do what stevio said, in terms of user authentication.. or if you can, just use a server-side scripting language such as PHP, CGI or ASP.
Regards,
--Perspx
"When programming in Visual Basic, you can always know whether a given program will become stuck in a loop and never halt. The answer is 'yes'." - Uncyclopedia
|
|
|
|
|
No not entirely possible. You can disable right clicking of the mouse but that'll just annoy people.
"The clue train passed his station without stopping." - John Simmons / outlaw programmer
"Real programmers just throw a bunch of 1s and 0s at the computer to see what sticks" - Pete O'Hanlon
|
|
|
|
|
www.ikvm.net [^]
Im trying to implement some features from a Java application on my employer's SharePoint site. I used IKVMC to compile the Java JAR file to a strongly named .DLL file. Before starting on the web part in VS2005, I wanted to make sure it would work. So I created a basic WinForm app and added the DLL as a referenced assembly (also added two DLLs that came with IKVM) in the application folder. Everything works.
So -- I moved on to creating the web part. I fired up my Virtual Machine (using V2005, VSeWSS 1.1 and W2K3 Server). I added the DLL and put in the same code and I get the following:
[IllegalArgumentException: interface com.iwi.teenserver.dao.hessian.cust.CustomerDataAccess is not visible from class loader]<br />
java.lang.reflect.Proxy.getProxyClass(ClassLoader loader, Class[] interfaces) +3149<br />
java.lang.reflect.Proxy.newProxyInstance(ClassLoader loader, Class[] interfaces, InvocationHandler h) +53<br />
com.iwi.teenserver.dao.hessian.IWIHessianProxyFactory.create(Class api, String hostName, Int32 port) +122<br />
com.iwi.teenserver.dao.hessian.IWIDataAccess.getCustomerDataAccess() +64<br />
DriverSummary.DriverSummaryWebPart.CreateChildControls() +133<br />
System.Web.UI.Control.EnsureChildControls() +87<br />
System.Web.UI.Control.PreRenderRecursiveInternal() +50<br />
System.Web.UI.WebControls.WebParts.WebPart.PreRenderRecursiveInternal() +62<br />
System.Web.UI.Control.PreRenderRecursiveInternal() +170<br />
System.Web.UI.Control.PreRenderRecursiveInternal() +170
modified on Thursday, July 24, 2008 4:48 PM
|
|
|
|
|
No idea.
It didn't occur to you to ask this question in one of the .NET forums? Or maybe an IKVM forum somewhere? I mean, presumably IKVM is doing something to make .NET's reflection look like Java's reflection to the Java code it's compiling, and those support routines are likely at fault here - perhaps contact the IKVM folks and ask 'em if they've tested their stuff in a restricted environment like SharePoint.
Citizen 20.1.01 'The question is,' said Humpty Dumpty, 'which is to be master - that's all.'
|
|
|
|
|
I what to add a custom overflow scroll bar for the div's without affecting the Windows scrollbar..is this possible?
Thanks
|
|
|
|
|
Swelborn wrote: is this possible?
Beats me. I've looked all over for a scrollbar labeled "Windows", and just ain't seein' it. Maybe i affected it too much already... 
Citizen 20.1.01 'The question is,' said Humpty Dumpty, 'which is to be master - that's all.'
|
|
|
|
|
Well I didn't mean the scrollbar was named 'Windows' I meant the Browser Windows Scrollbar, the one of far right. i don't want that to change in style, just the scrollbar for the div.
|
|
|
|
|
Changing the style of a DIV should only affect the document's scrollbars if they change the size of the DIV enough that it changes the rendered size of the entire document.
Citizen 20.1.01 'The question is,' said Humpty Dumpty, 'which is to be master - that's all.'
|
|
|
|
|
Hi To all
I am trying to use web parts to create a facebook like application. where users can custome their profile and view other users profile in asp.net.
thing is what I whould like to know is how do I go towards storing the content and settings of 2 web part zones into a profuile table columns for each profile. can anyone plz point me to a good tutorial or video of how to achieve this. I am sick and tired of walking into sharepoint tutorials and basic tutorials of usine the ASPnetdb built in membership / profiles / webparts.
I know how to use the aspnetdb membership and profile services but I have no idea how to let other users see each other profiles.
Thanks
Le Roux Viljoen
Web Developer
PCW New Media
South African Branch
www.pcwnewmedia.com
|
|
|
|
|
Try the ASP.NET forum. And work on your spelling.
Thanks.
Citizen 20.1.01 'The question is,' said Humpty Dumpty, 'which is to be master - that's all.'
|
|
|
|
|
Thanx and dude sorry I thought I was busy typing into a forum and not the oxford dictionary. your typing wouldnt be 100's if you have been workin on a solution for 16 hours straight.
|
|
|
|
|
Hi, I have developed a website in ASP.NET and now I'm looking for a webhost. I wonder if there's a webhost that can help with the scalability of the site so that you save yourself the headache of moving to another website later if the site starts to get some heavy traffic. In other words a webhost that can make the transition from shared to dedicated as easy as possible, is there such thing? Generally do you know of any good web hosts that you have good experience with? Thanks a lot for any help ...
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
