Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
As I am developing an application. How I can find the vulnerabilities which give hackers a chance to attack? And what are the security mechanisms possible here?
For example this code:
foreach (GridViewRow row in USER_GROUP_FROMS.Rows)
{
var chkboxuser = (CheckBox)row.FindControl("mainsupp");
abc = "";
if (chkboxuser.Checked == true)
{
string xe = "DATA SOURCE=technovalms;USER ID=AMC; password=amc;";
OracleConnection conn = new OracleConnection();
conn.ConnectionString = xe;
OracleCommand cmd = new OracleCommand();
cmd.Connection = conn;
conn.Open();
cmd.CommandText = "insert into TECHNOVA_SMS_USER_PRIVILEAGE(ID,SMS_USER_ID,SMS_PAGE_ID) values(SEQUENCEMODEL.nextval,'" + user_type.SelectedValue.ToString() + "','" + chkboxuser + "') ";
cmd.ExecuteNonQuery();
}
}
OWASP is your friend:
https://www.owasp.org/index.php/Main_Page
There is a lot of information in the site, you can start with the Web Application Security Testing Cheat Sheet for a good introduction to the subject and a checklist of tasks to be performed during security testing of a Web application.
EDIT
By the way, the code you have provided is vulnerable to SQL Injection Attacks.
You are appending the contents of your controls directly to your query so a user could input something like the following:
1';DELETE FROM TECHNOVA_SMS_USER_PRIVILEAGE'
Voila! They have access to all your database information.
To avoid this you should always filter user input using parameters:
cmd.CommandText = "insert into TECHNOVA_SMS_USER_PRIVILEAGE(ID,SMS_USER_ID,SMS_PAGE_ID) values(SEQUENCEMODEL.nextval,':selectedValue',':chkboxuser') ";
cmd.Parameters.Add(new OracleParameter("selectedValue", user_type.SelectedValue.ToString()));
cmd.Parameters.Add(new OracleParameter("chkboxuser", chkboxuser));
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I want to insert record to student table and I used a SqlCommand but when executing command as shown here, a datatype mismatch error occurs.
System.Data.SqlClient.SqlCommand cmd = new System.Data.SqlClient.SqlCommand("insert into Student(studentID,studentName,birthDate) values(" + studentID.Text + ",'" + studentName.Text +"','" + birthDate.Text + "')", con);
You can use parameters to solve this problem like this:
SqlCommand cmd = new SqlCommand("insert into Student(studentID, studentName, birthDate) values(#studentID, #studentName, #birthDate)" , con);
cmd.Parameters.AddWithValue("#studentID", studentID.Text);
cmd.Parameters.AddWithValue("#studentName", studentName.Text);
cmd.Parameters.AddWithValue("#birthDate", birthDate.Text);
cmd.ExecuteNonQuery();
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
there is a table to store borrowed items called borrowTable, lets say a customer take multiple items, I know how to select and insert a single item but how to select and insert multiple items in a single click?
Take all your data in a datatable(We can call 'myTable' here) and you can insert as follows
string sql = "INSERT INTO MyTable (Col1, Col2) VALUES (#Value1, #Value2)";
using (MySqlConnection con = new MySqlConnection(connectionString))
{
int retvalue;
con.Open();
foreach (DataRow row in myTable.Rows)
{
MySqlCommand myCommand = new MySqlCommand();
myCommand.Connection = con;
myCommand.CommandText = sql;
myCommand.Parameters.AddWithValue("#Value1", r["Value1"]);
myCommand.Parameters.AddWithValue("#Value2", r["Value2"]);
retvalue = myCommand.ExecuteNonQuery();
}
}
The simplest way to copy lots of data from any resources to SQL Server is BulkCopying.
See this example.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 8 years ago.
Improve this question
I'm trying to insert data from my ASP.NET web application into a SQL Server database table (which I have previously created). The code I have doesn't seem to be working, the error message displays, and the actual data doesn't appear to get saved to the database.
var conn = new SqlConnection("Data Source=SHRIYA\\SQLEXPRESS;Initial Catalog=…;Integrated Security=True");
var insert = new SqlCommand("Insert Into tblRegister(GenerateID,Name,Surname,ID_Number,Gender,Address,Postal_code,Phone_Number,Email,Password) values(#GenerateID,#Name,#Surname,#ID_Number,#Gender,#Address,#Postal_code,#Phone_Number,#Email,#Password", conn);
insert.Parameters.AddWithValue("#GenerteID",lstuserID.SelectedIndex);
insert.Parameters.AddWithValue("#Name", txtname.Text);
insert.Parameters.AddWithValue("#Surname", txtsurname.Text);
insert.Parameters.AddWithValue("ID_Number", txtid.Text);
insert.Parameters.AddWithValue("#Gender", ddlgender.SelectedItem);
insert.Parameters.AddWithValue("#Address", txtaddress.Text);
insert.Parameters.AddWithValue("#Postal_code", txtpostalcode.Text);
insert.Parameters.AddWithValue("#Phone_Number", txttele.Text);
insert.Parameters.AddWithValue("#Email", txtEmail.Text);
insert.Parameters.AddWithValue("#Password", txtpassword);
try
{
conn.Open();
insert.ExecuteNonQuery();
}
catch (Exception)
{
ScriptManager.RegisterStartupScript(this, GetType(), "error", "alert('Error When Saving');", true);
}
conn.Close();
One error is to use txtpassword (i.e. a UI control as a whole) as a value for a SqlParameter. Replace it with txtpassword.Text (i.e. the textual value entered into the UI control):
insert.Parameters.AddWithValue("#Password", txtpassword.Text);
Your SQL command text is missing the closing parenthesis ) for VALUES (:
SqlCommand insert = new SqlCommand("Insert Into
tblRegister(GenerateID,Name,Surname,ID_Number,Gender,Address,
Postal_code,Phone_Number,Email,Password)
values(#GenerateID,#Name,#Surname,#ID_Number,#Gender,#Address,
#Postal_code,#Phone_Number,#Email,#Password)", conn);
// ^
insert.Parameters.AddWithValue("ID_Number", txtid.Text);
That should be
insert.Parameters.AddWithValue("#ID_Number", txtid.Text);
SqlCommand insert = new SqlCommand("Insert Into tblRegister(GenerateID,Name,Surname,ID_Number,Gender,Address,Postal_code,Phone_Number,Email,Password) values(#GenerateID,#Name,#Surname,#ID_Number,#Gender,#Address,#Postal_code,#Phone_Number,#Email,#Password", conn);
SQL syntax is wrong.
Missing ) at the last parameter #Password.
SqlCommand insert = new SqlCommand("Insert Into tblRegister(GenerateID,Name,Surname,ID_Number,Gender,Address,Postal_code,Phone_Number,Email,Password) values(#GenerateID,#Name,#Surname,#ID_Number,#Gender,#Address,#Postal_code,#Phone_Number,#Email,#Password)", conn);
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 9 years ago.
Improve this question
How to query on table's view in .Net C# web application ?
for example, here [View_App_Academic] is my table view. My code is listed below. under db scheme, I am not able to see the view due to my user privilege.
string strquery = "select * from [dbo].[View_App_Academic] where recruitment_id=" +
RecruitDropDownList.Text + " and ref_no='" + RefDropDownList.Text + "'";
SqlCommand objCMD = new SqlCommand(strquery, conn);
Use parameterized query always.
Remove [dbo] from your query, you don't need to add [dbo] because it is default database schema.
Change your code to this.
string strquery = "select * from View_App_Academic where recruitment_id=#recruitment_id and ref_no=#ref_no";
SqlCommand objCMD = new SqlCommand(strquery, conn);
objCMD.Parameters.AddWithValue("#recruitment_id", RecruitDropDownList.Text);
objCMD.Parameters.AddWithValue("#ref_no",RefDropDownList.Text);
SqlDataAdapter myAdapter = new SqlDataAdapter();
myAdapter.SelectCommand = objCMD;
DataSet myDataSet = new DataSet();
myAdapter.Fill(myDataSet);
Hope it helps.