well, 90% of sql queries can by injected, some just harder.... You must remember to use ' around variable content and check if in the content some ' already stands. Some times you can bypass the security with changing the encoding. Many ppl also think there can use integer numbers with no apostrophes around, like "WHERE id = "+id instead of "WHERE id = '"+id+"'". Maybe it is confusing, but more safe than the first statement.
2009/7/15 akram mellice <[email protected]> > this code can be injected which leads to a security risk since the user can > add sql code to the connection string directly instead use the > SqlParameter class to pass parameters to whatever query u want to do > > > On Tue, Jul 14, 2009 at 10:17 PM, Neo <[email protected]>wrote: > >> >> Instead of doing >> >> Dim mssqlConnectionString As String = "Provider=SQLOledb; Data >> Source=mydatabase; Initial Catalog=home;User >> i...@username;passwo...@password" >> >> Do >> >> dim UserName, Password as string >> ........ >> fill in the UserName and Password from UI or whatever source >> ........ >> Dim mssqlConnectionString As String = "Provider=SQLOledb; Data >> Source=mydatabase; Initial Catalog=home;User Id=" & UserName & >> ";Password=" & Password >> >> Note : Connection strings must NOT be initialized in your code, it >> should be in a config file and your code should load the connection >> string from config file using ConfigurationManager Class. If u are >> using ASP.NET <http://asp.net/> then your connection string should be in >> web.config and >> if u are using windows app then it shouild be in App.config file (this >> is general rule, but you can load connection string from any config >> file other than these) >> >> And thanks Cerebrus for inviting me in your group :) . >> >> >> On Jun 2, 6:53 am, jt_2009 <[email protected]> wrote: >> > Hello >> > >> > It's me again. Sorry Cerebrus.....I unknowingly typed Cerberus >> > instead. And Mike that was funny. >> > >> > Anyway just an update, I've managed to get a connection going - I >> > moved the project folder to a local drive (it was being worked on an >> > intranet drive previously - which was the main issue I think) >> > >> > Anyway I would like to place some parameters now in my connection >> > string. Would the following actually work? >> > >> > Dim mssqlConnectionString As String = "Provider=SQLOledb; Data >> > Source=mydatabase; Initial Catalog=home;User >> > i...@username;passwo...@password" >> > >> > thank you. >> > >> > On May 30, 2:36 am, Cerebrus <[email protected]> wrote: >> > >> > >> > >> > > Very funny, Mike !! ROFL...MAO. ;-) >> > >> > > On May 29, 2:47 pm, Mike Fry <[email protected]> wrote: >> > >> > > > Cerebrus wrote: >> > > > > ... and by the way, it's "Cerebrus". :P >> > >> > > > I know, but I think Cerberus suits you better as a moniker. Guarding >> the >> > > > underworld that is .NET >> > >> > > > -- >> > > > Regards, >> > > > Mike Fry >> > > > Johannesburg.- Hide quoted text - >> > >> > - Show quoted text - >> > > > > -- > Akram Mellice >
