Protection Against SQL Injection And Other?
Dec 4, 2011I would like to know if removing the following specials character would be enough to protect my program against SQL Injection :
"'/*$%()!#^&
I would like to know if removing the following specials character would be enough to protect my program against SQL Injection :
"'/*$%()!#^&
I have this code
UPDATE OPENQUERY (db,'SELECT * FROM table WHERE ref = ''"+ Ref +"'' AND bookno = ''"+ Session("number") +"'' ')
How would I prevent SQL Injections on this?
[code].....
I know it is possible with C#, C++, VB 6 but i'm not sure about VB.net 2008, i have looked around to see if it is possible but have not found a way. There isn't a specific reason i need to know, just curious... So, is it possible with vb.net, if so how? CreateRemoteThread?
View 30 RepliesI've been contracted to analyze an existing Data Provider and I know the following code is faulty; but in order to point out how bad it is, I need to prove that it's susceptible to SQL injection.
Question What "Key" parameter could break the PrepareString function and allow me to execute a DROP statement?
[Code]...
I've found some tutorials on this already, but they aren't exactly what I'm looking for, I can use the following for username fields and password fields
[Code]...
So I need to run this with parametrized queries rather than how I'm doing it now?
is there a way to detect if the text in a textbox contain code for Sql Injection?
View 2 RepliesI have re-written my code I would now like to check if my code is still open to SQL Injections after this work. I believe the code is now working as it should, but any blinding errors that you see i'd love to hear about too. My code is now looking like: -code removed-
View 5 RepliesI know i must use Stored Procedures as much as Possible, but i would like to know the following.
A: Can i get a SQL Injection attack from a SELECT statement such as (Select * from MyTable) ?
B: Also, can i get a SQL Injection attack when I use the SQLDataSource in ASP.NET?
I will post a sequence of examples and thought about sql injection, I wish the expert will correct any small mistake in what I will say so I can know exactly the possible danger.
The required is to create a function in vb.net that accept 2 parameter (table_name, fields_list) and return the result in datatable
Now, I am aware of that table_name and fields_list cannot be passed as parameter to the command object using .AddParameter
here is a couple of thoughts, what I would like to know is
1- which function is exposed to sql injection
2- Which function is more safe
Public Class Form14
Dim conn as New SqlClient.SqlConnection(connection_string)
Private Sub Button1_Click( ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
[code].....
I have a question... I recently came across a program called WPE Pro (Winsock Packet Editor Pro). Basically what it does is lets you sniff, edit and send packets intercepted from a process. Thats the key word here PROCESS. From what I can tell WPE uses DLL injection to sniff and inject packets directly into an active socket connection on the target process. What I want to know is how would I go about achieving this? If it isn't possible with the .NET language, is it possible to goto C++ or something?
View 4 RepliesMy question is how best to avoid SQL Injection with the method I am currently using.EDIT (Reasoning): There are many of columns in a number of tables (a number which grows (only) and is maintained elsewhere). I need a method of allowing the user to decide which (predefined) column they want to query (and if necessary apply string functions to). The query itself is far too complex for the user to write themselves, nor do they have access to the db. There are 1000's of users with varying requirements and I need to remain as flexible as possible - I shouldn't have to revisit the code unless the main query needs to change - Also, there is no way of knowing what conditions the user will need to use
View 2 RepliesI have a relatively small app that Im building using vb.net 2.0, and nant. Its a app that calls out to an external exe to produce some output files, then processes those output files afterwards.I have built an interface to the exe, which I have created a stub implementation and the real implementation, what I would like to be able to do is use nant to either create a DEBUG build of the app, which calls the stub implementation, or create a PROD build of the app which will use the correct implementation.
View 2 RepliesI'm developing a VS2008 ASP.NET VB.NET application that uses a SQL Server Express databaseALL database access is via parametrized stored procedures, where I pass the data for each field to the stored procedure as a parameter.
View 5 RepliesI know that hooks are programmed with C++.
I would like to know some stuff here:
1) When dll is injected how can u activate a function?
2) What is a class exactly in a dll?
3) Can you design a class?
I have a web service running that reliably returns a dataset and allows me to provide a list now drop down list box of records returned.I would like to capture the users selection from the DDL and call another web service to return detailed information regarding the selection. Hence a WHERE stmt in the query of the web service. I am of course worried about SQL injection. But I would ike to at least get the SQL stmt working.The selection is a string field type, and looks like this,[code]Everything works for other web services if I remove the query with the WHERE clause.
View 3 RepliesI have the following sub in a windows form:
Private Sub BTNC_storeclientdata_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles BTNC_storeclientdata.Click
' Update Clientdata[code].....
This performs an update in the SQL Database via a stored procedure. When I add '; insert into codeinjection(test) values ('CodeInjected!'); select ' in the last textbox (TBC_phone.Text) the value 'codeinjdected' is inserted into the table codeinjection as well. How can I avoid this?
i have this .xml file read and display at runtime by vb.net2003. the .xml file is the database which contain various data and its not for adding more data or edited by user so i need to protect the file so that my code can read and display those data. can anyone know how to protect the file.
View 1 RepliesI'm getting the error ' ' is not declared.It may be inaccessible due to its protection level with the following code. [code] I tried changing from private sub to Public and adding Imports System.Windows.Forms.TextBox but that didn't fix my problem.
View 5 Repliesi know that NO software is safe from hackers etc... i mean if Windows can be cracked and hacked (developed by possibly worlds most advanced programmers) then hobbyists and small developers have alot to hope for.But is there any way i can increase protection for my vb compiled exe?First of all is there a way to remove ALL comments from my compiled code?Is there a good obfuscrator for vb net 2008 code
View 4 RepliesI'm making a login screen but i couldnt find a way to make textboxes invicebel but useable so i used labels but now the password label doesnt show password protection is there anyway i can give the label ******* pasword protection?
View 18 Repliesset password for a folder using vb.net source code
View 3 RepliesI want to secure my SQL Server Database so that no one could open it or access programmatically without a password. How can I do it? I tried the security section of SQL Server Management Express but it is too complicated for me.
View 1 RepliesI'm getting closer to the point where I need to look into software protection. Ok, stop laughing, I'm looking for something easy, able to make trials, unlock via internet are my primary needs. Does anyone have any recommendations from personal use or seen any reviews comparing different softwares? I've seen about a dozen already looking around today but would like anyones feedback.
View 4 RepliesI have up until recently developed only in-house custom applications and I have never had a need to protect this software with any type of licensing/ protection mechanisms.I'm now working on a new project for a software app that I plan on distributing to a relatively small number of clients (1000 or so) and I need to consider some type of licensing/software protection solution that I can easily integrate into my application.I'm also looking for specific product recommendations (if possible) based on users experiences. With vast assortment of product offerings out there, I'm having a very hard time wading through them all.
I would like to stick with a software option over a hardware dongle type solutions so that I can make distribution and activation as painless as possible for my customers¦but would consider hardware options if need be.I have tried the KeyLOK hardware evaluation kit but it seems to be a little difficult to implement and it would force my customers to wait days before they could initially activate and use my application. [code] License registration and tracking via Internet..Software distribution is very controlled and it's not a techie type user audience, so hacking is not a major concern but I would like to protect the application as much as possible.
I'm making a program to protect custom game files from being copied as best I can, however there are a couple things I need to account for. Some of them I have, others, I have not been able to find information on. When the files are not in use, I have them fully encrypted and hidden from the lay user through a bunch of other tricks (+s attribute, for example). However, I would also like to prevent copying these files while they are being used by the game - obviously I cannot have them encrypted while the game is attempting to read from them.
This opens up a hole, which I have also tried to deal with, but I know my attempts in this regard are less than thorough:
Stop several known well-known copy programs from operating during operation, that being Windows Explorer, Teracopy, and cmd
Now, the other solution I was thinking of was a filesystemwatcher object scanning the better part of the computer for any copies of these files located outside of the "OK" directory, but I'm a bit skeptical as to whether or not this would be very efficient. Any ways to make copying these files difficult without rendering them unusable to the program.
i'm trying to create a program that enables a user log into the program using a username and password, first he/she must first create an account with some vital information incase the password is forgotten so it can be retrieved
View 2 RepliesWhen you compile a program to publish with Visual Studio 2010, does that have any advanced methods to keep your program being decompiled to source code? Are there any methods you would use to encrypt yoursource code before compiling?
View 5 RepliesI am trying to add a code for a print button (the same code I have used successfully on another project) but this time it's not working. I typed:
PrintForm1.PrintAction = Printing.PrintAction.PrintToPreview
PrintForm1.Print()
BUT... It says "'PrintForm1' is not declared. It may be inaccessible due to it's protection level." I didn't change the name of Form1 or anything so I am really confused why my last project worked and this one doesn't.
Just today I've completed a trial version of my application - I then uploaded it to my webserver, and to my surprise a user already (almost one hour after I uploaded it) bypassed the protection and used the software 8 times (instead of the limit of 1 use)!
My "protection" was pretty weak. After the program has been used, it just writes a value to a single registry key. The user just deletes this registry key and can use the program once more, and so if someone does this enough times, he can use the software for as much time as needed.
Anyway, since I'm not really experienced in programming, do you guys have some nice working and possible easy to implement trial protection? I'm not looking for anything too serious, but it shouldn't be as easy to bypass as my current protection.
I am creating a script programatically. However I cannot access the dataset from the modeule. See "Sample" below. ('ds' is not declared. It may be inaccessible due to its protection level.)
[Code].....