|
There is no substitute for doing it the right way.
|
|
|
|
|
I have to eliminate a SQL injection error from within a method. What the code is doing is passing in a SQL querystring as the command to a DbCommand object, see the code below. Now, with only minor modifications this error must be eliminated. Here is the description from the scan:
This database query contains a sql injection flaw. the call to system_data_dll.Data.IDbCommand.ExecuteNonQuery constructs a dynamic sql queryusing a variable derived from the user-supplied input.An attacker could exploit this flaw to execute arbitrary sql queries against the database ExecuteNonQuery was called on the command object, which contains tainted data. The tainted data originated from from earlier calls to system_data.system.data.common..dbconnand.execurereader, system_web_dll.wweb.httprequest.get_params, system_data_dll.system.data.system.data.common.dbaadapter.fill.
Below is the actual function code:
protected object ExecuteScaler(string queryString)
{
object returnValue = null;
if (!_iserror)
{
if (_trace)
{ DoTrace("TAMIS.Data.Loader.ExecuteScalar", queryString); }
if (_connection == null || _connection.State == ConnectionState.Closed)
{
OpenConnection();
}
DbCommand command = _provider.CreateCommand();
command.Connection = _connection;
command.CommandText = queryString;
command.CommandType = CommandType.Text;
if (_useTransaction) { command.Transaction = _transaction; }
try
{
returnValue = command.ExecuteScalar();
}
catch (Exception ex)
{
if (ex is EntryPointNotFoundException)
throw ex;
//if (_useTransaction == true)
//_transaction.Rollback();
RollBack();
LogBLL bll = new LogBLL();
bll.WriteErrorLog(ex);
_iserror = true;
}
finally
{
if ((!KeepAlive && _connection.State == ConnectionState.Open) || _iserror == true)
{
CloseConnection();
}
}
}
else
{
returnValue = -1;
}
return returnValue;
}
Thanks in advance for all of your help!
|
|
|
|
|
The way to avoid conventional SQL-injection attacks is to use SQL-parameters. That is, not passing the values for your query as literals concatenated into the SQL-statement but to have the names of SQL-parameters in those places of the SQL-statement instead and add SQL-parameters 'carrying' the actual values to the parameter-collection of the command-object.
E.g. instead of this:
SELECT col1 FROM table1 WHERE col2 = 'string from user input';
..it should be like this:
SELECT col1 FROM table1 WHERE col2 = @userinput;
..plus creating an SQL-Parameter with a name of "@userinput", assigning the value 'string from user input' to it and adding it to the parameter-collection of the command-object.
But the posted method is being passed the final query string as an argument, so it's already too late to do this. You will have to change this method
- either to accept an SQL-parameter-collection with the parameters created where the method is being called
- or to accept a value-collection and create SQL-parameters for those values
and then add the SQL-parameters to the command-object. And the calling code obviously has also to be changed accordingly.
http://www.dotnetperls.com/sqlparameter[^]
https://msdn.microsoft.com/en-us/library/system.data.common.dbparameter%28v=vs.110%29.aspx[^]
If the brain were so simple we could understand it, we would be so simple we couldn't. — Lyall Watson
|
|
|
|
|
holdorf wrote: Now, with only minor modifications this error must be eliminated.
You won't be able to solve this problem with only minor modifications. You'll need to change your data access methods to accept parameters, and change every bit of code that calls them to pass parameters instead of using string concatenation. Since your code seems to be intended to work with multiple database systems, you'll also need to find a way to use the correct parameter representation for each provider - for example, SqlCommand uses named parameters, but OleDbCommand uses positional parameters.
Since you need to fundamentally change your code anyway, you might want to consider replacing your custom data-access methods with something like Dapper[^]. That way, you can concentrate on fixing the code that calls your data access methods, instead of fixing the data access methods themselves.
In case you need it, Troy Hunt has an excellent introductory explanation of SQL Injection on his blog:
Everything you wanted to know about SQL injection (but were afraid to ask) [^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
I know there are a lot of posts but I finally understand and did what I was told to do. I broke the query up with parameters and I am still getting the security error. My code is below the with the parameters removed from the hard coded string, the calling code, and the implementing code:
The 3 classes with the SQL w/ with the parameters broken out, the calling code, and the implementing code:
Class with the parameters broken out:
public class MyParam
{
public string name { get; set; }
public string value { get; set; }
}
public class QueryContainer
{
string _query;
public List parameterList = new List();
public QueryContainer(string query) { _query = query; }
public string Query
{
get
{
return _query;
}
set { _query = value; }
}
}<pre>
The calling code:
<pre>
public int GetAccountSortByAccountCode(int account)
{
QueryContainer Instance = new QueryContainer("SELECT ac_sort_order FROM lkup_account_codes where ac_code = <a href="http:
MyParam myParam = new MyParam();
myParam.name = "@account";
myParam.value = account.ToString();
Instance.parameterList.Add(myParam);
return Convert.ToInt32(ExecuteScaler(Instance, 1));
}
<pre>
The implementing code:
<pre>
if (_connection == null || _connection.State == ConnectionState.Closed)
{
OpenConnection();
}
DbCommand command = _provider.CreateCommand();
command.Connection = _connection;
{
command.CommandText = Instance.Query;
command.CommandType = CommandType.Text;
foreach (var p in Instance.parameterList)
{
SqlParameter param = new SqlParameter(p.name, p.value);
command.Parameters.Add(param);
}
if (_useTransaction) { command.Transaction = _transaction; }
try
{
returnValue = command.ExecuteScalar();
}
catch (Exception ex)
{
if (ex is EntryPointNotFoundException)
throw ex;
RollBack();
LogBLL bll = new LogBLL();
bll.WriteErrorLog(ex);
_iserror = true;
}
<pre>
|
|
|
|
|
I'm sort of fuzzy about how the sequence of operation works here on this.
I wrote the code, and now I'm building the pieces for it like the web page and buttons.
Here's how I think it works, if I'm totally wrong let me know.
- Write the XML file to submit to Authorize.net, for a PayPal transaction: Sort of letting Authorize.net or PayPal know that a transaction is coming their way.
- Transmit the XML file to the endpoint at Authorize.Net: I think I'm suppose to pickup the response XML and feed some data to the step 3
- Redirect the customer to the PayPal Website, using the PayPal Account Settings and URL plus querystrings
4, Then the customer goes through the motions of paying
- The customer comes back to the success or cancel page.
- I get a response in some format, with a token or transaction ID and result code.
|
|
|
|
|
Hello,
Can anyone suggest me some of best Free dashboard samples?
I mostly needed webbased type either ASP.NET or HTML type
Regards,
SMA
|
|
|
|
|
Google will help, search for free dashboard templates you can find many for free.
modified 20-Sep-20 21:01pm.
|
|
|
|
|
i have project buil web with Web Accessibility...plz i dont undertand web accessibility..plz share me some book ...
|
|
|
|
|
|
W3 Org would define it best!
https://www.w3.org/WAI/intro/accessibility.php[^]
Definition is: Web accessibility means that people with disabilities can use the Web. You can use Google to search for more on this topic.
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
I'm stuck with this problem, any help will be appreciated.
I have a web service, it requires authentication to call functions but I couldn't authenticate.
The function XML is like this:
<s11:Envelope xmlns:s11='http://schemas.xmlsoap.org/soap/envelope/'>
<s11:Header>
<ns1:AuthHeader xmlns:ns1='MOD'>
<ns1:Channel>?XXX?</ns1:Channel>
<ns1:Username>?XXX?</ns1:Username>
<ns1:Password>?XXX?</ns1:Password>
</ns1:AuthHeader>
</s11:Header>
<s11:Body>
<ns1:GetBankList xmlns:ns1='MOD' />
</s11:Body>
</s11:Envelope>
my connection codes are:
$baglanti = new :confused:SoapClient("https://galaksi.turknippon.com/appservice/mod.asmx?wsdl");
$parm = array();
$parm[] = new SoapVar('channelcode', XSD_STRING, null, null, 'Channel' );
$parm[] = new SoapVar('myusername', XSD_STRING, null, null, 'Username' );
$parm[] = new SoapVar('mypassword', XSD_STRING, null, null, 'Password' );
$Adres = "https://galaksi.turknippon.com/appservice/";
$Baslik = new SoapHeader($Adres, "AuthHeader",new SoapVar($parm, SOAP_ENC_OBJECT));
$baglanti->__setSoapHeaders(array($Baslik));
$sonuc = $baglanti->AuthHeader(new SoapVar($parm, SOAP_ENC_OBJECT));
print_r ($sonuc);
Here is a stack trace:
System.Web.Services.Protocols.SoapException: Server was unable to process request. ---> System.NullReferenceException: Object reference not set to an instance of an object. at AppServiceLibrary.AuthHeader.Validate(AuthHeader& credential) in xxxx\Galaxy\Galaxy\AppServiceLibrary\AuthHeader.cs:line 132 at xxxx.AppService.MODService.GetBankList() in xxxx\AppService\mod.asmx.cs:line 1148 --- End of inner exception stack trace --- –
|
|
|
|
|
What is the error that you get?
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Hai All,
I have a task to Upload and Download a word file from the microsoft ONEdrive using WCF service. I there is a possiblity to do that. Can doing the authentication through WCF service is easy without the interaction with user. Everything should be done in the background.
Regards,
Rajesh
|
|
|
|
|
You'll have to start by reading OneDrive's documentation to see what they support.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
|
|
|
I am new to web development and started with HTML5 and AngularJS.
Listened to 'AngularJs Patterns clean code' by Jon Papa on Pluralsight.
Downloaded the sample app 'modular' and created a small SPA following the sample app.
The app is created using Visual Studio 2013 ASP.Net Empty website project template.
The directory structure is as follows in Visual Studio 2013.
-- Solution 'Tools'
---------- 'Tools' - Project
------------------- bower_components
-------------------------- angular : other js files at the same level
------------------- src
----------------------- client
---------------------------- app
---------------------------- index.html <<<=====
Project Properties settings:
Project properties -> web -> Start Action -> specific page -> src/client/index.html
Servers -> IIS Express -> Project Url: http://localhost:23263/
Running project using F5, opens a webpage with Url: http://localhost:23263/src/client/index.html#/
The page loads as expected.
Questions:
Q1: I would like to open the page with reference to path of index.html such as http://localhost:23263.
What setting needs to done to achieve above thing?
Q2: For sample application 'modular' I need to setup node.js and gulp and run the gulp server which listens to a specific port and when I type http://localhost:port_no, the index.html page is opened. Also, I am able to access the page on another
device using the IP and port no. How can I achieve this? I didn't publish my website to achieve this, just started the node server.
Looked a similar tutorial for developing an angular app using visual studio 2013, unable to achive above thing.
http://jaliyaudagedara.blogspot.in/2014/06/creating-empty-aspnet-project-powered.html
Thanks in advance!
Praveen Raghuvanshi
Software Developer
|
|
|
|
|
I have been playing around with some very basic code in classic asp . I have the following simple page that I tried to reach on my own pc :
<!DOCTYPE html>
<html>
<body>
<%
d=weekday(Date)
Select Case d
Case 1
response.write("Sleepy Sunday")
Case 2
response.write("Monday again!")
Case 3
response.write("Just Tuesday!")
Case 4
response.write("Wednesday!")
Case 5
response.write("Thursday...")
Case 6
response.write("Finally Friday!")
Case Else
response.write("Super Saturday!!!!")
End Select
%>
<p>This example demonstrates the "Select Case" statement.</p>
<p>You will receive a different greeting based on what day it is.</p>
<p>Note that Sunday=1, Monday=2, Tuesday=3, etc.</p>
</body>
</html>
(copy-pasted from the site http://www.w3schools.com/[^])
I just can see the asp code , not the effect of it on the browser. Given that the code is probably reliable, coming from such a site, and it should work, I can only suppose my IIS7 settings are not the right ones to allow classic asp code to run . I have very poor experience on classic asp and its configuration on IIS . Can anyone give me hints about how to make the whole thing work ?
|
|
|
|
|
|
I followed instructions about installing it on IIS 7.0 on Windows 7, which is the configuration I have , but I am not sure it is all I need ..... your link is about installing it on Windows 2012 server , I think it is not the same, right ?
|
|
|
|
|
Hai All,
I have a task where I need to develop a web application. This Web Application enables the user to generate a document and show it to the user on the web form. When the user clicks edit the document. The document should open in word application. And the user edits it, save the document and when he closes the word application, the changes done on the word application reflects on the web form.
Untill now this is a Windows Form Application. But we want to rewrite it as Web application.
I have some questions.
1. What is the best way to edit the word document which is there on the server.
2.Do we have Office Online Complete compability with MVC. So that The document on the server can be opened in Office online, edit the document and Save it back to Server.
3. Opening Word Application from Javascript is possible? If possible I can Serialize the file and send to local.
Could anybody give some insights on this.
Regards,
Rajesh
|
|
|
|
|
I need to get a responsive web project up and running as quick as possible.
I am a software guy (C++, Java, js, PHP, Ruby, Python) but I have limited web project experience.
My server is a rented, managed linux. Everything except Microsoft stuff should be possible.
I believe a clever selection of the used system/framework/components is key to success.
This is what I need to do:
1) Responsive design is a must.
2) App wrapper. On Android and Ios there should be the possibility use an app.
3) User management. Must be scalable to high numbers.
4) User profiles. Users shall have an area where they are able to present themselves. Authoring system shall be limited yet simple.
5) Apps shall make available the user's co-ordinates
6) User comments/Rating system
7) Geo-location: User positions shall be displayed on a map. Displaying user details and selecting a user shall be possible as Google Maps does it with points-of-interest
8) Chat. there shall be a whatsApp style Chat
9) Appointments Calendar. Notifications on cell phone and via email (may be a loose integration)
10) Payment. Integration (may be a loose one) of a payment system (PayPal, Amazon?). Payment status needs to be immediately displayed in chat and/or in Calendar.
I'm looking forward to hear your recommendations
- Christoph
|
|
|
|
|
In a vb.net 2010 web form application, I just installed a third party tool on my workstation and the install modified the web config file to add references to some new files that are being accessed. Now I am getting the following error message,
"Error 1 It is an error to use a section registered as allowDefinition='MachineToApplication' beyond application level. This error can be caused by a virtual directory not being configured as an application in IIS".
Thus can you give me detailed directions on what I can do to solve this issue?
|
|
|
|