I'm developing a VS2008 ASP.NET VB.NET application that uses a SQL Server Express databaseALL database access is via parametrized stored procedures, where I pass the data for each field to the stored procedure as a parameter.
View 5 Replies
I have re-written my code I would now like to check if my code is still open to SQL Injections after this work. I believe the code is now working as it should, but any blinding errors that you see i'd love to hear about too. My code is now looking like: -code removed-
View 5 Repliesi need to know how to detect the attacks using honeypot in vb.net
View 1 RepliesI have this code
UPDATE OPENQUERY (db,'SELECT * FROM table WHERE ref = ''"+ Ref +"'' AND bookno = ''"+ Session("number") +"'' ')
How would I prevent SQL Injections on this?
[code].....
I would like to know if removing the following specials character would be enough to protect my program against SQL Injection :
"'/*$%()!#^&
I know it is possible with C#, C++, VB 6 but i'm not sure about VB.net 2008, i have looked around to see if it is possible but have not found a way. There isn't a specific reason i need to know, just curious... So, is it possible with vb.net, if so how? CreateRemoteThread?
View 30 RepliesI've been contracted to analyze an existing Data Provider and I know the following code is faulty; but in order to point out how bad it is, I need to prove that it's susceptible to SQL injection.
Question What "Key" parameter could break the PrepareString function and allow me to execute a DROP statement?
[Code]...
I've found some tutorials on this already, but they aren't exactly what I'm looking for, I can use the following for username fields and password fields
[Code]...
So I need to run this with parametrized queries rather than how I'm doing it now?
is there a way to detect if the text in a textbox contain code for Sql Injection?
View 2 RepliesI know i must use Stored Procedures as much as Possible, but i would like to know the following.
A: Can i get a SQL Injection attack from a SELECT statement such as (Select * from MyTable) ?
B: Also, can i get a SQL Injection attack when I use the SQLDataSource in ASP.NET?
I will post a sequence of examples and thought about sql injection, I wish the expert will correct any small mistake in what I will say so I can know exactly the possible danger.
The required is to create a function in vb.net that accept 2 parameter (table_name, fields_list) and return the result in datatable
Now, I am aware of that table_name and fields_list cannot be passed as parameter to the command object using .AddParameter
here is a couple of thoughts, what I would like to know is
1- which function is exposed to sql injection
2- Which function is more safe
Public Class Form14
Dim conn as New SqlClient.SqlConnection(connection_string)
Private Sub Button1_Click( ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
[code].....
I have a question... I recently came across a program called WPE Pro (Winsock Packet Editor Pro). Basically what it does is lets you sniff, edit and send packets intercepted from a process. Thats the key word here PROCESS. From what I can tell WPE uses DLL injection to sniff and inject packets directly into an active socket connection on the target process. What I want to know is how would I go about achieving this? If it isn't possible with the .NET language, is it possible to goto C++ or something?
View 4 RepliesMy question is how best to avoid SQL Injection with the method I am currently using.EDIT (Reasoning): There are many of columns in a number of tables (a number which grows (only) and is maintained elsewhere). I need a method of allowing the user to decide which (predefined) column they want to query (and if necessary apply string functions to). The query itself is far too complex for the user to write themselves, nor do they have access to the db. There are 1000's of users with varying requirements and I need to remain as flexible as possible - I shouldn't have to revisit the code unless the main query needs to change - Also, there is no way of knowing what conditions the user will need to use
View 2 RepliesI have a relatively small app that Im building using vb.net 2.0, and nant. Its a app that calls out to an external exe to produce some output files, then processes those output files afterwards.I have built an interface to the exe, which I have created a stub implementation and the real implementation, what I would like to be able to do is use nant to either create a DEBUG build of the app, which calls the stub implementation, or create a PROD build of the app which will use the correct implementation.
View 2 RepliesI know that hooks are programmed with C++.
I would like to know some stuff here:
1) When dll is injected how can u activate a function?
2) What is a class exactly in a dll?
3) Can you design a class?
I have a web service running that reliably returns a dataset and allows me to provide a list now drop down list box of records returned.I would like to capture the users selection from the DDL and call another web service to return detailed information regarding the selection. Hence a WHERE stmt in the query of the web service. I am of course worried about SQL injection. But I would ike to at least get the SQL stmt working.The selection is a string field type, and looks like this,[code]Everything works for other web services if I remove the query with the WHERE clause.
View 3 RepliesI have the following sub in a windows form:
Private Sub BTNC_storeclientdata_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles BTNC_storeclientdata.Click
' Update Clientdata[code].....
This performs an update in the SQL Database via a stored procedure. When I add '; insert into codeinjection(test) values ('CodeInjected!'); select ' in the last textbox (TBC_phone.Text) the value 'codeinjdected' is inserted into the table codeinjection as well. How can I avoid this?
We are trying to add SQL Reporting Services to a .Net 2.0 Web Application. SRS has been installed on the server successfully, but we get an error when we try to load a report or access the report manager:
Server Error in '/Reports' Application.Configuration Error Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately. Parser Error Message: Could not load file or assembly 'netGmrc' or one of its dependencies. The system cannot find the file specified.
The error is being coming from a line in the web.config where an httpHandler called Upload.axc is being added to the web application. The entire httpHandler section is listed below.
<httpHandlers>
<add verb="*" path="Upload.axd" type="netGmrc.Upload, netGmrc"/>
<remove verb="*" path="*.asmx"/>
[code]....
When we remove the Upload.axd handler from Web.Config, everything in SRS works fine. What is the proper way to have Reporting Services work along side the web application with this httphandler?
i just want some opinnion or suggestions regarding database softwares. we are going to develop a system for 20 or less users, i am planning to use MYSQL community server as our database to lessen the budget for that system, i just want to know if it is ok to use that version.is there a big differece between mysql community server, enterprise server and MS SQL Server in terms of handling data i.e security, speed, etc...
View 2 RepliesI have a project that uses a crystal report and I'm planning of deploying it.The problem is, is there a common setup for the components that was used in my project so I don't need it to manually register on the client pc?
View 2 RepliesI am new developer of Visual basic and planning to develop WIndow XP PC based application for small retail outlet business, the main functions are to records the daily business transaction and produce reporting at month end.
My questions is what visual basic releated software or tools that I need to install in my Window XP PC for developing this application??
I am new convert from VB6 and needs some help developing a stand alone application in VB 2008 that needs access to stored data values.All applications I have developed so far have been for computers that have either SQL Express or Access installed locally on the computer. This has made development really easy since I could use ADO to access and query the data.
The application I am now developing will be installed on a computer that does not have any of the MS office applications and I do not want to install SQL Express on the computer. But I still would like to use an 'ADO type' functionality to access, query and modify the data stored in the system.I started looking into using XML, but I was unable to find much information on querying and modifying individual elements.
I am an Australian user so use date format dd/mm/yyyy...my frmMain has a list box that retrieves a list of date values from the access db and displays them in the correct format (15/12/2000 - dd/mm/yyyy). When I update the DB using that same date the date format becomes reversed (ie interprets as 12/15/2000 - mm/dd/yyyy). [code] I believe the problem is something to do with the fact I am enclosing my date in my code with #'s and that somewhere between visual studio and access, the dates are getting flipped. [code]
View 1 RepliesA portion of my code is below. I am making a database application using FlexGrid and an ADO Control. I get errors on the statements following .saying that "Overload resolution failed because no accessible 'Fields' accepts this number of Arguments". Can someone explain this error and also a fix for it? I am using Visual Basic 2008.
[Code]...
Currently working on a web-service with Oracle10g as back-end. Here is my problem.
1. The table I need to populate has 100 columns. I have no control over the design of the table.
2. I wanted to use the "deriveparameters" method of OracleCommandBuilder, but found out that this is "costly" in terms of performance. What I initially planned to do was to derive the parameters from an open connection, close the connection, then maybe cache the parameters obtained but I don't know if this is possible.
I am unsure how big of a hit the performance will get if I continue using the "deriveparameters" method WITHOUT caching the parameters driven. The environment is as follows
-intranet
-around 2000 users
-users spread out in different parts of the country
I am not familiar where they will put the web pages of the application, the web service and the database. I don't know if they'll be putting it in different servers or on one server, but that's something we cannot control too, that's why I am looking for the best approach.
I just don't want to hard-code all that parameters and if, for instance, we need to change some properties/parameters, it will be a pain to maintain the code. It would be nice if someone here can point a way to automate the whole thing w/o the performance of the system taking a hit.
I'm using SQL 2008 Express with a multi user VB.NET Windows application. Do I have to add each user to the SQL user account? Does NT AuthoritySYSTEM work? I do not know how this works. So far I have NT AuthoritySYSTEM in the Security-Logins of the Server. But do I have to add it also in the database? In the databse Security-User, I have the following:
[Code]...
I've created a VB Console Application Project and am trying to instantiate a Report Viewer object. To my understanding I need to import Microsoft.Reporting.WinForms however Visual Studio does not recognize this name space. Is there some reference I need to add?
View 4 RepliesI'm working on a multi user VB.Net windows application with back end as SQL Server 2008 Express. The SQL Server is installed on the intranet network drive. This is the connection string I will be using. Is this correct?
Data Source=.SQLEXPRESS;AttachDbFilename=Q:DatabasePrintDB.mdf;Integrate d Security=True;Connect Timeout=30;User Instance=True
I have a form that has around 4 txtboxes. Data is inserted into these boxes and then a "Save" Button is pressed. I have a GridView added to my form and want to view the entries. The issue I am having is that when I click the save button the data doesn't show up in the DataGridView until I close the application and then re open it.
[Code]....
I want to do something like this:
Code:
'create a dataset and a table
Dim ds As New DataSet
[code].....
