Re: help me plz
From: Jim Hughes (NOSPAMJ3033_at_Hotmail.com)
Date: 03/27/05
- Next message: Dee: "Re: How to use WriteXml() for a DataTable?"
- Previous message: Sahil Malik: "Re: *VERY* Simple DbDataAdapter.Update - Incorrect MSDN Documentation????"
- In reply to: Elton Wang: "Re: help me plz"
- Next in thread: Anubhav Mishra: "Re: help me plz"
- Reply: Anubhav Mishra: "Re: help me plz"
- Messages sorted by: [ date ] [ thread ]
Date: Sat, 26 Mar 2005 16:18:30 -0800
Consistently doing things the correct way is the key to success.
The OP was using a parameteriezed query, but just missed adding the
parameter.
In the case however, as you pointed out, the only thing saving this from
SQL injection attack was the byval num as integer function argument. That
may not have been obvious to the OP for the next function where they were
passing in the username as a string instead of the ID.
"Elton Wang" <anonymous@discussions.microsoft.com> wrote in message
news:192901c53259$cbbb8730$a401280a@phx.gbl...
> Hi Jim,
>
> It's a good point. If field id is type of char or varchar
> (or something similar), it's better to use parameter. For
> type int, there is no large difference.
>
> HTH
>
> Elton Wang
>
>>-----Original Message-----
>>Please don't do that!
>>
>>Dim cm As New SqlCommand("select * from student where
> id=@num")
>>cm.Parameters.Add("@num", num)
>>
>>Search Google for SQL injection attack.
>>
>>Also look into using the Data Access Application Block
> (DAAB) from
>>Microsoft.
>>
>>
>>"Elton Wang" <anonymous@discussions.microsoft.com> wrote
> in message
>>news:0e4001c5324a$f57ee530$a501280a@phx.gbl...
>>> Hi sara,
>>>
>>> Change
>>> Dim cm As New SqlCommand("select * from student where
>>> id=@num", cnn)
>>>
>>> to
>>>
>>> Dim cm As New SqlCommand("select * from student where
> id="
>>> & num.ToString, cnn)
>>>
>>> HTH
>>>
>>> Elton Wang
>>> elton_wang@hotmail.com
>>>
>>>>-----Original Message-----
>>>>Hello all,
>>>>plz , i have the following code , which take student id
>>> and
>>>>passowrd,then check the id if it is found ,check
> password
>>> if it is
>>>>tru, if the password and id are true,the student can log
>>> in the
>>>>system, if the password if false ,he can try 3 times,if
>>> the id is not
>>>>recognized,the terminal is locked for 5 minutes.
>>>>when i compiled the code, the error message appered on
>>> the
>>>>dr=cm.executereader
>>>>i didn't know what is the problem with sql command.
>>>>code
>>>>...............
>>>>public sub log(byval num as integer,byval pass as
> string)
>>>>Dim cnn As New
>>>>SqlConnection("server=
>>> (local);database=db1;Trusted_Connection=yes")
>>>>Dim cm As New SqlCommand("select * from student where
>>> id=@num", cnn)
>>>>Dim dr As SqlDataReader
>>>>cnn.Open()
>>>> dr = cm.ExecuteReader
>>>> dr.Read()
>>>> If dr("id") = num Then
>>>> If dr("pass") = pass Then
>>>> MsgBox("login")
>>>> Else
>>>> MsgBox("invalid password")
>>>> End If
>>>> Else
>>>> MsgBox("Id is not recognized")
>>>> End If
>>>> dr.Close()
>>>>end sub
>>>>......................
>>>>plz help me , i am student and this is course project
>>>>Thankx
>>>>sara
>>>>Posted at: http://www.groupsrv.com
>>>>
>>>> Posted Via Usenet.com Premium Usenet Newsgroup Services
>>>>--------------------------------------------------------
> --
>>>> ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY **
>>>>--------------------------------------------------------
> --
>>>
>>>> http://www.usenet.com
>>>>.
>>>>
>>
>>
>>.
>>
- Next message: Dee: "Re: How to use WriteXml() for a DataTable?"
- Previous message: Sahil Malik: "Re: *VERY* Simple DbDataAdapter.Update - Incorrect MSDN Documentation????"
- In reply to: Elton Wang: "Re: help me plz"
- Next in thread: Anubhav Mishra: "Re: help me plz"
- Reply: Anubhav Mishra: "Re: help me plz"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
