Re: Dynamic SQL
- From: "Mr. R" <jon.doe@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 07 Feb 2008 18:53:47 GMT
Login where?
To the server or Windows.
The security issue is not that improtant on the webpages. The page shall not
be live 24/7 only when I do the demos.
Don't need to login to the database. There's no users created to it yet. THe
user creates their own account.
Anyhow I still don't see the problem, of course the real live site needs
checking that the right carracters are entered to the fields.
OF course entering username N00bHax0r') will cause an error. Isn't that vat
the validators are for?
Can I use any validator to test this. Some how the user must enter username
and password and the other data the vry first time. I get your point and the
problem is familiure to me. I deal with that type of input checking in all
my exe program. But thanks for reminding me. At the moment my focus is to
get the database work, understanding how ASP.NET deals with database. The
finnish of input forms will be dealth with at a later time.
protected void pbEdit_Click(object sender, EventArgs e)
{
// Of course:
// Before calling this make sure every field has valid caracters.
// is the Validators good for this ?????
sdsAffiliateAccount.SelectCommand =
"select username, company, contactName, address, city, zip, state,
country, homepage, " +
" email, phone, fax, pwd from AffiliateAccount " +
"where ('" + tbUsername.Text + "' = username) and ('" +
tbPassword.Text + "' = pwd);";
}
"Scott Roberts" <sroberts@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> skrev i
meddelandet news:O1$$gLbaIHA.4712@xxxxxxxxxxxxxxxxxxxxxxx
You should Google for "SQL Injection" as Mark suggested in his first
reply.
Have you tried logging in as this user?
N00bHax0r') or 1=1; --
"Mr. R" <jon.doe@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ZoHqj.3566$R_4.2627@xxxxxxxxxxxxxxxxxx
Hi
Since I'm nerw to ASP.NET can you okease tell me why this is dangerous?
No, this actual source is NOT live on the Internet. Any other suggestion
that doesn't need to add users to the database.
Lars
"Mark Rae [MVP]" <mark@xxxxxxxxxxxxxxxxx> skrev i meddelandet
news:ewPxU3aaIHA.4284@xxxxxxxxxxxxxxxxxxxxxxx
"Mr. R" <jon.doe@xxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:JVGqj.3562$R_4.2373@xxxxxxxxxxxxxxxxxx
Once I found out the way to do it it was as easy as a pie.
Here's the code
protected void pbEdit_Click(object sender, EventArgs e)
{
sdsAffiliateAccount.SelectCommand =
"select username, company, contactName, address, city, zip, state,
country, homepage, " +
" email, phone, fax, pwd from AffiliateAccount " +
"where ('" + tbUsername.Text + "' = username) and ('" +
tbPassword.Text + "' = pwd);";
}
Oh my God!!! Please tell me that this isn't on the live Internet...
--
Mark Rae
ASP.NET MVP
http://www.markrae.net
.
- References:
- Dynamic SQL
- From: Mr. R
- Re: Dynamic SQL
- From: Mark Rae [MVP]
- Re: Dynamic SQL
- From: George Ter-Saakov
- Re: Dynamic SQL
- From: Mr. R
- Re: Dynamic SQL
- From: Mark Rae [MVP]
- Re: Dynamic SQL
- From: Mr. R
- Re: Dynamic SQL
- From: Scott Roberts
- Dynamic SQL
- Prev by Date: Re: Need to set up a server that support ASP.NET
- Next by Date: Re: Need to set up a server that support ASP.NET
- Previous by thread: Re: Dynamic SQL
- Next by thread: Re: Dynamic SQL
- Index(es):
Relevant Pages
|
Loading
