I have re-written my code I would now like to check if my code is still open to SQL Injections after this work. I believe the code is now working as it should, but any blinding errors that you see i'd love to hear about too. My code is now looking like: -code removed-
View 5 Replies
I'm developing a VS2008 ASP.NET VB.NET application that uses a SQL Server Express databaseALL database access is via parametrized stored procedures, where I pass the data for each field to the stored procedure as a parameter.
View 5 RepliesI'm developing an application with Visual Studio 2008 (with visual basic), first of all, I'll give a brief of what I'm planning this module will do.
It's an accounting application, that I use to administrate some of my company's movemets. The application links directly with MS SQL server 2005, and sends queries to the database like: client name, employee Id, transacion type etc. Right now I'm developing a contracts module, wich is intended to be used with Microsoft Word 2007. We want the module to do the following: (It's a contract document; the document should get the variables from the application like contract type [that would change the template of contract used in microsoft word depending on the type], Client name, Salesman name, today's date, name of the company's representative)
1) After the data has been captured from the application (the application has a capture module that sends the info to the database), instantly send the capturer to microsoft Word, to a layout that has variable fields that should fill themselves with the database information ( I don't have a clue on how to do that )
2) The capturer should be able to change text in the contract layout and fix the variables info in case they were misstyped, adn when he/she saves the document; if there were any variables edited, they should get updated in the database; and the application should be saved with a name that has variables on its name ( 1)today's date in DDMMYY format, 2)First 2 letters of the client's name, 3)last 3 digits from tye contract number), save the file in a directory where all contracts are in .docx format (could use any frmat, it actually doesn't matters), and send the file location to the databse; to a table field named "file" wich only has the file's route.
3)From my application, when consulting the data, give the app access to the file directly; simply by getting the query form the database.
i need to know how to detect the attacks using honeypot in vb.net
View 1 RepliesI am writing a message system on my server, the xml is something like this
<xml>
<entry>
<sender>[code]....
my problem now i guess is 2 fold, i wish to combine the first 3 queries into a single query and place in a list or a collection or is there a way to do this with a single query that will give me my desired result?
I have this code
UPDATE OPENQUERY (db,'SELECT * FROM table WHERE ref = ''"+ Ref +"'' AND bookno = ''"+ Session("number") +"'' ')
How would I prevent SQL Injections on this?
[code].....
I would like to know if removing the following specials character would be enough to protect my program against SQL Injection :
"'/*$%()!#^&
I know it is possible with C#, C++, VB 6 but i'm not sure about VB.net 2008, i have looked around to see if it is possible but have not found a way. There isn't a specific reason i need to know, just curious... So, is it possible with vb.net, if so how? CreateRemoteThread?
View 30 RepliesI've been contracted to analyze an existing Data Provider and I know the following code is faulty; but in order to point out how bad it is, I need to prove that it's susceptible to SQL injection.
Question What "Key" parameter could break the PrepareString function and allow me to execute a DROP statement?
[Code]...
I've found some tutorials on this already, but they aren't exactly what I'm looking for, I can use the following for username fields and password fields
[Code]...
So I need to run this with parametrized queries rather than how I'm doing it now?
is there a way to detect if the text in a textbox contain code for Sql Injection?
View 2 RepliesI know i must use Stored Procedures as much as Possible, but i would like to know the following.
A: Can i get a SQL Injection attack from a SELECT statement such as (Select * from MyTable) ?
B: Also, can i get a SQL Injection attack when I use the SQLDataSource in ASP.NET?
I will post a sequence of examples and thought about sql injection, I wish the expert will correct any small mistake in what I will say so I can know exactly the possible danger.
The required is to create a function in vb.net that accept 2 parameter (table_name, fields_list) and return the result in datatable
Now, I am aware of that table_name and fields_list cannot be passed as parameter to the command object using .AddParameter
here is a couple of thoughts, what I would like to know is
1- which function is exposed to sql injection
2- Which function is more safe
Public Class Form14
Dim conn as New SqlClient.SqlConnection(connection_string)
Private Sub Button1_Click( ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click
[code].....
I have a question... I recently came across a program called WPE Pro (Winsock Packet Editor Pro). Basically what it does is lets you sniff, edit and send packets intercepted from a process. Thats the key word here PROCESS. From what I can tell WPE uses DLL injection to sniff and inject packets directly into an active socket connection on the target process. What I want to know is how would I go about achieving this? If it isn't possible with the .NET language, is it possible to goto C++ or something?
View 4 RepliesMy question is how best to avoid SQL Injection with the method I am currently using.EDIT (Reasoning): There are many of columns in a number of tables (a number which grows (only) and is maintained elsewhere). I need a method of allowing the user to decide which (predefined) column they want to query (and if necessary apply string functions to). The query itself is far too complex for the user to write themselves, nor do they have access to the db. There are 1000's of users with varying requirements and I need to remain as flexible as possible - I shouldn't have to revisit the code unless the main query needs to change - Also, there is no way of knowing what conditions the user will need to use
View 2 RepliesI have a relatively small app that Im building using vb.net 2.0, and nant. Its a app that calls out to an external exe to produce some output files, then processes those output files afterwards.I have built an interface to the exe, which I have created a stub implementation and the real implementation, what I would like to be able to do is use nant to either create a DEBUG build of the app, which calls the stub implementation, or create a PROD build of the app which will use the correct implementation.
View 2 RepliesI know that hooks are programmed with C++.
I would like to know some stuff here:
1) When dll is injected how can u activate a function?
2) What is a class exactly in a dll?
3) Can you design a class?
I have a web service running that reliably returns a dataset and allows me to provide a list now drop down list box of records returned.I would like to capture the users selection from the DDL and call another web service to return detailed information regarding the selection. Hence a WHERE stmt in the query of the web service. I am of course worried about SQL injection. But I would ike to at least get the SQL stmt working.The selection is a string field type, and looks like this,[code]Everything works for other web services if I remove the query with the WHERE clause.
View 3 RepliesI have the following sub in a windows form:
Private Sub BTNC_storeclientdata_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles BTNC_storeclientdata.Click
' Update Clientdata[code].....
This performs an update in the SQL Database via a stored procedure. When I add '; insert into codeinjection(test) values ('CodeInjected!'); select ' in the last textbox (TBC_phone.Text) the value 'codeinjdected' is inserted into the table codeinjection as well. How can I avoid this?
I have a Access 2003 backend db and I'm using vb 2005 to connect to the db via conntection string. It works ok! I can see all the tables but only some of the queries. Why should some queries be absent? In 1 query I have a user define function which cuts up a string. I've created a new VB project with a new connection but the same result. I've compacted the database with not change.
View 2 RepliesI am trying to UNION the two queries below without success.
Dim
ds1
As
New
DataSet
Dim
MyConnection1 As
New
OleDb.OleDbConnection(GetPOWERConnectionString())
[Code] .....
I am trying to perform a search query using drop down boxes with a button named search. I want it to bring up the data that is searched for. I dont know where to start from, i have looked around for some coding and different ways to do it but they seem complicated, this is the bit of ASP that is my weakness, need some assistance and guidance. below is the code for the page;
<%@ Page Language="VB" MasterPageFile="~/MasterPage.master" AutoEventWireup="false" CodeFile="ForSale.aspx.vb" Inherits="Users_ForSale" title="Properties For Sale" %>
<asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
</asp:Content>
[code]......
I'm trying to figure out how to do SQL queries towards an SQL 2005 Express server and format the return value to JSON. I got the queries working using this (perhaps very newbie-like) code;
Imports System
Imports System.Data
Imports System.Data.SqlClient
Imports System.Web.UI
[code]....
Where can I find informations on which WMI queries are in fact available for .NET interface through ManagementObjectSearcher. The command below returns exception for "Win32_LogicalDisk", but works for "Win32_Environment". Every reference in msdn directs to msdn library, which contains all Win32 and COM development classes (that seems not to be available from vb .net code):
[Code]...
I have a form that will have at least 3 seperate sql queries that I want to have submitted with an onclick event.
View 4 RepliesI've been going through a lot of forums and see a lot of mention of ADO.NET and how it's better to use. I guess because it's newer and being maintained with current times?I've done google searches for this, but every time I see different programming languages other than VB.NET implementing param queries with ADO.net, or it brings me to results that have oledb commands again.Is there a good ADO.NET for VB.NET tutorial with parametrized queries?
View 3 Repliesfinish my querie, it works for the first 2 rows, I need ti to loop through my dgv:
[Code]...
I want to send the a vb.net application which will run some updates on the database. I have built the sql script files which i would normally run thru query analyser but that is not available thru MSDE.I know i can use OSQL or ISQL to run these scripts but i really want to run them thru a VB.Net application.here is the code i'm using which is generating an error beacuse i'm trying to execute more than one statement?
Dim connectionString As String = ' CONNECTION STRING IS HERE
Dim conn As New SqlClient.SqlConnection(connectionString)
Dim cmd As New SqlClient.SqlCommand
[code]....
i have a form which once the user has entered their correct Account No they will access the jobs relating to their number. I now need to use and update query so that once I select yes in the Query handled box, after clicking the update button, this row will then be deleted from the table. Here is the code that I have so far:
Public Class Form1
Private Sub Label1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Label1.Click
End Sub
[code]....
I am a beginner when it comes to VB express. I went to the FAQ and found what looked like the answer to my question in "Database - How can I put the value of a variable/control into my SQL statement?" which said I should use thecode ...... where Field = ' " & variablename & " ' at the end of the SQL statement
I am using a field defined as a nchar with 10 charecters and my variable is defined as a string. my field has been given the value "abcdefghij" so it is full to avoid confusion with spaces and even though the variable is identical and I have used the len command to check there are no hidden spaces etc. When I run the query I get no records selected. What am I doing wrong?. If I use Where Field = 'abcdefghij', ie specify the value in the SQL I get the correct records selected but this does not give me the flexibility I need
