Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
As I am developing an application. How I can find the vulnerabilities which give hackers a chance to attack? And what are the security mechanisms possible here?
For example this code:
foreach (GridViewRow row in USER_GROUP_FROMS.Rows)
{
var chkboxuser = (CheckBox)row.FindControl("mainsupp");
abc = "";
if (chkboxuser.Checked == true)
{
string xe = "DATA SOURCE=technovalms;USER ID=AMC; password=amc;";
OracleConnection conn = new OracleConnection();
conn.ConnectionString = xe;
OracleCommand cmd = new OracleCommand();
cmd.Connection = conn;
conn.Open();
cmd.CommandText = "insert into TECHNOVA_SMS_USER_PRIVILEAGE(ID,SMS_USER_ID,SMS_PAGE_ID) values(SEQUENCEMODEL.nextval,'" + user_type.SelectedValue.ToString() + "','" + chkboxuser + "') ";
cmd.ExecuteNonQuery();
}
}
OWASP is your friend:
https://www.owasp.org/index.php/Main_Page
There is a lot of information in the site, you can start with the Web Application Security Testing Cheat Sheet for a good introduction to the subject and a checklist of tasks to be performed during security testing of a Web application.
EDIT
By the way, the code you have provided is vulnerable to SQL Injection Attacks.
You are appending the contents of your controls directly to your query so a user could input something like the following:
1';DELETE FROM TECHNOVA_SMS_USER_PRIVILEAGE'
Voila! They have access to all your database information.
To avoid this you should always filter user input using parameters:
cmd.CommandText = "insert into TECHNOVA_SMS_USER_PRIVILEAGE(ID,SMS_USER_ID,SMS_PAGE_ID) values(SEQUENCEMODEL.nextval,':selectedValue',':chkboxuser') ";
cmd.Parameters.Add(new OracleParameter("selectedValue", user_type.SelectedValue.ToString()));
cmd.Parameters.Add(new OracleParameter("chkboxuser", chkboxuser));
Related
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 6 years ago.
Improve this question
Hi i have problem with execute Query with Parameter in access database:
OleDbConnection cnn;
OleDbCommand cmdselect2;
string sqlselect2 = null;
string baza = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=" + #"L:\Windykacja\Sdro\Projekt\projekt.accdb";
connetionString = baza;
sqlselect2 = "SELECT count(POS_Pesel_regon) as Suma FROM POS WHERE POS_Pesel_regon = #PR";
cnn = new OleDbConnection(connetionString);
cnn.Open();
cmdselect2 = new OleDbCommand(sqlselect2, cnn);
Int32 PR1 = Convert.ToInt32(cmdselect2.ExecuteScalar());
cmdselect2.Parameters.AddWithValue("#PR", textBox6.Text);
cmdselect2.Dispose();
cnn.Close();
It's say that my paramter is missing
In insert it works perfectly :)
will be thankfull for any sugestions.
cheers
Because you try to execute your command before you add your parameter. Change those lines
Int32 PR1 = Convert.ToInt32(cmdselect2.ExecuteScalar());
cmdselect2.Parameters.AddWithValue("#PR", textBox6.Text);
to
cmdselect2.Parameters.AddWithValue("#PR", textBox6.Text);
Int32 PR1 = Convert.ToInt32(cmdselect2.ExecuteScalar());
A few things more;
Use using statement to dispose your connection and command automatically instead of calling Close or Dispose methods manually.
Don't use AddWithValue as much as you can. It may generate unexpected and surprising results sometimes. Use Add method overload to specify your parameter type and it's size.
using(var cnn = new OleDbConnection(connetionString))
using(var cmdselect2 = cnn.CreateCommand())
{
cmdselect2.CommandText = #"SELECT count(POS_Pesel_regon) as Suma FROM POS
WHERE POS_Pesel_regon = #PR";
cmdselect2.Parameters.Add("#PR", OleDbType.VarChar).Value = textBox6.Text;
// I assumed your column type as VarChar
cnn.Open();
int PR1 = (int)cmdselect2.ExecuteScalar();
}
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
string conn = "";
conn = ConfigurationManager.ConnectionStrings["Conn"].ToString();
SqlConnection objsqlconn = new SqlConnection(conn);
objsqlconn.Open();
SqlCommand objcmd = new SqlCommand("IF (select 1 from PRODUCT where PRODUCT_NAME=" + Master_product_txt.Text + ")=1
PRINT 'ALREADY AVAILABLE'
ELSE
Insert into PRODUCT(PRODUCT_NAME) Values('" + Master_product_txt.Text + "')
GO", objsqlconn);
objcmd.ExecuteNonQuery();
MessageBox.Show("Details Successfully Added!!!");
I'm trying check the data base values before insert the value, I've wrote query for it, it's working in sql server environment, I could not able to implement same thing in Visual Studio
go is a SSMS (SQL Server Management Studio) statement, it won't work from C#
use parameters to avoid SQL injection
it is unusual to use the Hungarian obj prefix in C#
A quick try at a better version:
var cmd = new SqlCommand(#"
IF NOT EXISTS (SELECT * FROM PRODUCT WHERE PRODUCT_NAME = #NAME)
BEGIN
INSERT INTO PRODUCT (PRODUCT_NAME) VALUES (#NAME)
END
", sqlconn);
cmd.Parameters.AddWithValue("#NAME", Master_product_txt.Text);
cmd.ExecuteNonQuery();
SqlCommand objcmd = new SqlCommand("SELECT 1 from PRODUCT WHERE PRODUCT_NAME=#NAME" , objsqlconn);
//NVarChar
cmd.Parameters.Add("#NAME", SqlDbType.NVarChar,20).Value = Master_product_txt.Text;
objsqlconn.Open();
readr = SelectCommand.ExecuteReader();
if (!readr.HasRows)
{
`// code to insert values here.
}`
PRINT 'ALREADY AVAILABLE' will not work here.For capturing print statement message you have to add an event handler to the InfoMessage event on the connection.And use parametrized query where ever possible. ;)
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 8 years ago.
Improve this question
My code needs to save all the information captured in the WinForm Vendita.
I'm using the following code but it doesn't save the information in the DB and gives me an error indicating a data type mismatch in the criteria expression.
I am using the following code:
System.Data.OleDb.OleDbCommand cmd1 = new System.Data.OleDb.OleDbCommand();
System.Data.OleDb.OleDbCommand cmd2 = new System.Data.OleDb.OleDbCommand();
System.Data.OleDb.OleDbCommand cmd3 = new System.Data.OleDb.OleDbCommand();
cmd1.CommandType = System.Data.CommandType.Text;
cmd2.CommandType = System.Data.CommandType.Text;
cmd1.CommandText = "INSERT INTO FattureVoci ([IDVoce],[CodiceArticolo],[Descrizione],[Quantita],[PrezzoUnitario]) VALUES (#Id,#Prod,#Descr,#Qta,#Prezzo)";
cmd2.CommandText = "INSERT INTO Fatture ([Intestatario],[PartitaIVA]) VALUES (#Intest,#Iva)";
cmd1.Parameters.AddWithValue("#Prod", this.Prodotto.Text);
cmd1.Parameters.AddWithValue("#Iva", Convert.ToInt32(this.PartitaIVA.Text));
cmd1.Parameters.AddWithValue("#Descr", this.Descrizione.Text);
cmd1.Parameters.AddWithValue("#Qta", Convert.ToInt32(this.Qta.Text));
cmd1.Parameters.AddWithValue("#Intest", this.Intestatario.Text);
cmd1.Parameters.AddWithValue("#Id", Convert.ToInt32(this.id.Text));
cmd1.Parameters.AddWithValue("#Prezzo", Convert.ToInt32(this.Prezzo.Text));
cmd1.Connection = conn;
conn.Open();
cmd1.ExecuteNonQuery();
cmd2.ExecuteNonQuery();
conn.Close();
}
Iva and Interest belong to cmd2 instead of cmd1. Change this:
cmd1.Parameters.AddWithValue("#Iva", Convert.ToInt32(this.PartitaIVA.Text));
cmd1.Parameters.AddWithValue("#Intest", this.Intestatario.Text);
To:
cmd2.Parameters.AddWithValue("#Iva", Convert.ToInt32(this.PartitaIVA.Text));
cmd2.Parameters.AddWithValue("#Intest", this.Intestatario.Text);
Also, you are using OleDb, so probably Ms Access: you should provide the parameters in the correct order.
Closed. This question is not reproducible or was caused by typos. It is not currently accepting answers.
This question was caused by a typo or a problem that can no longer be reproduced. While similar questions may be on-topic here, this one was resolved in a way less likely to help future readers.
Closed 8 years ago.
Improve this question
I'm getting a run time error in my program when connecting to a SQL Server CE database.
Can anyone help me, and please don't write the whole code just a line of what needs to be changed to.
Here is my code:
string conString = Properties.Settings.Default.POSdatabaseConnectionString;
using (SqlCeConnection con = new SqlCeConnection(conString))
{
con.Open();
using (SqlCeCommand com = new SqlCeCommand("SELECT * FROM Customer where Customer ID ='" + this.useridtexbox.Text + "' and Name='" + this.nametexbox.Text + "'", con))
{
SqlCeDataReader reader = com.ExecuteReader();
int count = 0;
while (reader.Read())
{
count = count + 1;
}
if (count == 1)
{
MessageBox.Show("You have logged in succesfully");
Homepage homepage = new Homepage();
homepage.Show();
homepage.LabelText = ("Welcome " + reader["name"].ToString());
}
else
{
MessageBox.Show("Username and password is Not correct ...Please try again");
con.Close();
}
Error:
There was an error parsing the query. [ Token line number = 1,Token line offset = 39,Token in error = ID ]
I think the problem with the space in Customer ID,Try this
SqlCeCommand com = new SqlCeCommand("SELECT * FROM Customer where CustomerID ='" + this.useridtexbox.Text + "' and Name='" + this.nametexbox.Text + "'", con))
In your command, do not use string concatenation. That will fail badly and leave you open to SQL injection attacks.
Image what happens if I enter the following text into this.nametexbox.Text:
Joe'; DROP DATABASE; --
You don't want have someone like little Bobby Tables as user.
Use sql parameters.
If you have tables or fields with spaces, you to have a word with your DBA. If you cannot change it, make sure you use the correct syntax:
WHERE [Customer ID] = '12345'
Make sure you CustomerID column have space
Always use parameterized query to avoid SQL Injection
How does SQLParameter prevent SQL Injection
SqlCeCommand com = new SqlCeCommand = "SELECT * FROM Customer where CustomerID=#CustomerID and
name=#name";
con.Parameters.AddWithValue("#CustomerID", valuesTextBox.Text);
con.Parameters.AddWithValue("#name", namwTextBox.Text);
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
How to query on table's view in .Net C# web application ?
for example, here [View_App_Academic] is my table view. My code is listed below. under db scheme, I am not able to see the view due to my user privilege.
string strquery = "select * from [dbo].[View_App_Academic] where recruitment_id=" +
RecruitDropDownList.Text + " and ref_no='" + RefDropDownList.Text + "'";
SqlCommand objCMD = new SqlCommand(strquery, conn);
Use parameterized query always.
Remove [dbo] from your query, you don't need to add [dbo] because it is default database schema.
Change your code to this.
string strquery = "select * from View_App_Academic where recruitment_id=#recruitment_id and ref_no=#ref_no";
SqlCommand objCMD = new SqlCommand(strquery, conn);
objCMD.Parameters.AddWithValue("#recruitment_id", RecruitDropDownList.Text);
objCMD.Parameters.AddWithValue("#ref_no",RefDropDownList.Text);
SqlDataAdapter myAdapter = new SqlDataAdapter();
myAdapter.SelectCommand = objCMD;
DataSet myDataSet = new DataSet();
myAdapter.Fill(myDataSet);
Hope it helps.