|
manije wrote:
strFilter = "SELECT UserName,Password FROM User_Name WHERE Password='" +txtPassword.Text + "' AND UserName='"+txtUserName.Text+"'";
This is NOT how I showed you to build this query[^]. This is now vulnerable to a SQL Injection Attack, and one that is very easily prevented. Please re-read the code I sent you before and if you don't understand it, I'll be happy to answer questions.
If you want to read more about how to prevent SQL Injection attacks. Something that is very important and double importance seing as this is verifying user names and passwords then you should read SQL Injection Attacks and Tips on How to Prevent Them[^]
Finally, just as an example of how easy your code is to attack I would suggest you type the following into the password box and trace through the code to see what it does:
' OR 1=1;--
My: Blog | Photos
WDevs.com - Open Source Code Hosting, Blogs, FTP, Mail and More
|
|
|
|
|
Hi !
thanks for your guide !
but ,I don't understand ,OR,
I want to know , How can observe a user his private information , After everyone enter his username and password .
by the way , the code I wrote,can chech , is there user in the table or not ,in any case ,please help me !
thanks again!
mostafa hosseiny b.
|
|
|
|
|
manije wrote:
but ,I don't understand ,OR,
I want to know ,
Colin has not really answered this, instead, he's pointed out that you've ignored the advice he gave you before.
manije wrote:
How can observe a user his private information
By you writing the code to display it. Once you know someone has logged in, you can ask the database for their information and display it any way you like.
Christian Graus - Microsoft MVP - C++
|
|
|
|
|
in vb.net when we create connection string
we want dsn name in the connection string i want connection via sqlserver
please suggest me what connection string i write
notify i don't want server name and database name in the connection string.
please help me
|
|
|
|
|
Since a DSN is part of ODBC configuration you need to use the ODBC data provider which will reduce your performance connecting to SQL server. And OLEDB option is to use a UDL file look under Storing Connection Strings on this page http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnbda/html/daag.asp[^].
Anothe option would be to encrypt the server and database name in a string and add the other information in at runtime.
I can imagine the sinking feeling one would have after ordering my book,
only to find a laughably ridiculous theory with demented logic once the book arrives - Mark McCutcheon
|
|
|
|
|
If you create a DSN called abcd,
string myConnectionString ="DSN=abcd;UID=root;PWD=root";
OdbcConnection MyConn;
OdbcCommand MyCmd = new OdbcCommand();
MyConn = new OdbcConnection(myConnectionString);
MyConn.Open();
MyCmd.Connection = MyConn;
StringBuilder SQL = new StringBuilder();
SQL.Append("SELECT ");
SQL.Append("*");
SQL.Append("FROM ");
SQL.Append("Authors");
MyCmd.CommandText = SQL.ToString();
OdbcDataReader result = MyCmd.ExecuteReader(CommandBehavior.CloseConnection);
int nResultCount = 0;
while (result.Read())
{
++nResultCount;
}
|
|
|
|
|
thanks.
I can imagine the sinking feeling one would have after ordering my book,
only to find a laughably ridiculous theory with demented logic once the book arrives - Mark McCutcheon
|
|
|
|
|
|
Hi,
I am using MySqL-FRONT As my database.I installed MySql beta server,MySQl Font and MySql Odbc driver and I started the service of MySql .But when I am connecting the MySql -Front,the system seems to be hang.The system should have enough space(128 MB RAM).Please help me to overcome this situation.
Jeeva
|
|
|
|
|
thank for your reply(Colin Angus Mackay )in advance!!
----
the type of password field = int
----
and this my code for check!?
----
private void btnOK_Click(object sender, System.EventArgs e)
{
//------->Step :1
if ((txtUserName.Text.Trim().Length == 0)|| (txtPassword.Text.Trim().Length == 0))
{
MessageBox.Show(Empty_MESSAGE,CAPTION_TITLE);
txtPassword.Text="";
txtUserName.Text="";
return;
}
//------>Step :2
string strFilter;
strFilter = "SELECT UserName,Password FROM User_Name WHERE Password='" +txtPassword.Text + "' AND UserName='"+txtUserName.Text+"'";
userAdapter=new SqlDataAdapter(strFilter,UserConnection);
SqlCommandBuilder UserCmd=new SqlCommandBuilder(userAdapter);
DataTable UserTable=new DataTable();
userAdapter.Fill(UserTable);
//------ Counting and Displaying
UserView = new DataView(UserTable,DEFAULT_FILTER,DEFAULT_SORT,DataViewRowState.OriginalRows);
//---->Step :3
if (UserView.Count == 0)
{
MessageBox.Show(NO_RECORDS_FOUND_MESSAGE,CAPTION_TITLE);
txtPassword.Text="";
txtUserName.Text="";
}
else
{
this.Hide();
//----displaying form
Private_Public_Form frm_pub_pri=new Private_Public_Form();
frm_pub_pri.ShowDialog();
}
//************* Finish ********/
}
//-----------
the difficult in this app. is , when password type=int
,system give an error , if we type in textbox of password non-numeral(character)
|
|
|
|
|
First, 15 chars for a password is too small. Normally the passwords I use are 20+ chars and it irritates me when a website cannot accept such a long password. The longer the password, the more secure it is because it takes longer to crack. You should use something like an nvarchar(128) for a password.
Also, you should consider looking at encryption routines so that the password is stored in a secure fashion.
manije wrote:
By the Way if Password type=int [length=4] , what's the result the check ?
That doesn't make any sense.
To check the password on your current set up:
SqlConnection conn = new SqlConnection(myConnectionString);
SqlCommand cmd = new SqlCommand();
cmd.Connection = conn;
cmd.CommandText = "SELECT id_user FROM TheUserTable "+
"WHERE username = @username AND password = @password";
cmd.Parameters.Add("@username", myUserName);
cmd.Parameters.Add("@password", myPassword);
conn.Open();
object result = cmd.ExecuteScalar();
if (result == null)
{
}
else
{
int userID = (int)result;
}
Does this help?
My: Blog | Photos
WDevs.com - Open Source Code Hosting, Blogs, FTP, Mail and More
|
|
|
|
|
hi all!
in c#.net:
in my application ,how can it check the user and password
is correct or not ?
for recieve and save user and password , we use a sql Table
thanks in advance!!
mostafa hosseiny b.
|
|
|
|
|
|
hi all
i have made a table in SQL server2000..
now on the button click in my form using vb i want to check weather the value entered in the textbox is available in the column or not...it should check all the values in column of the database.....and display the appropriate msg
please....help me out....i am bugged up by this problem
ashima
ashima
|
|
|
|
|
ashima14 wrote:
i want to check weather the value entered in the textbox is available in the column
There are a number of ways to achieve this, one would be the following SLQ Command
SELECT COUNT(*) FROM TableName WHERE ColumnName = @expectedValue
You can then create an SqlCommand with a parameter called @expectedValue and ExecuteScalar on the SqlCommand . If the result from ExecuteScalar is 0 then you have no match, if the value is anything else then you have a match.
My: Blog | Photos
WDevs.com - Open Source Code Hosting, Blogs, FTP, Mail and More
|
|
|
|
|
How i can update my local DataSet when BackEnd Database (SQL Server 2000 etc.) has been changed rapidly by other users. I hate unmanaged code in managed environment. Is there any class like connected recordsets of VB 6.0.
Thanks in advance
Zeeshan
|
|
|
|
|
I am not quite sure I undestand the purpose of your request...
-Is the problem to avoid any users to make changes within your transaction scope..
-Or is the issue to get an over view of other user transactions on the database..
-A hint would be to try execute the folowing stored procedure 'sp_lock'
this will give you all information about existing locks..
|
|
|
|
|
Thanks for reply
I am trying with example.
I have a datagrid shows, currect prices of shares, bound with dataset. I update my local dataset with DB after every 2 second. I think it is a poor design. Because if one row is updated in any 2 second, i update full dataset.
I want, this datagrid shows current share prices, which is updated in DB through my background service without updating the whole dataset.
Zeeshan
|
|
|
|
|
Hi.
I would like connect a database (acess) on web using vb, but I do not know do a connection string.
Do you could help me send me a string or said where I can found it.
Thanks
André
|
|
|
|
|
hi
im a newbe at C# and ado.net,only started three months ago my question is:
i want to add a column at the beginning of a my bound datatable,how do i do that?
code example in c# would be appreciated
thanks for the help
regards paula
|
|
|
|
|
Try YourTable.Columns 's add method where you define a new DataColumn..
But.. this does not guaranty the insert at in the beginneng of the columns, this depends on the existing columns in your table. -To do that
first you have to empty the table for columns YourTable.Clear method will do this, -but before you do this you have to temporarily store any existing columns. then you add your new column and afterwards add the other columns to the table..
Here, code sample for your pupose..
System.Data.DataTable yourTable= new System.Data.DataTable("YourTable");
System.Collections.ArrayList myExistingColumns = new System.Collections.ArrayList();
foreach (System.Data.DataColumn column in yourTable.Columns) //keep any axisting columns..
{
myExistingColumns.Add(column);
}
yourTable.Columns.Clear(); // remove all columns.
yourTable.Columns.Add(new System.Data.DataColumn("MyNewColumn")); //add a new column at the ordinal 0.
foreach (object column in myExistingColumns) //let's movve the existing column back to the table
{
yourTable.Columns.Add((System.Data.DataColumn)column);
}
|
|
|
|
|
Hi guys pls help,I want to add a new column to more than 500 tables in the database,pls help how can I do that.anyone who can provide me with a code??????????
cheerz
|
|
|
|
|
Good luck hehe
You have to automate this somehow.. but don't panic.. I assume it's a SQL-database you are using.
1. you have to traverse all tables for your purpose.. tablenames is stored in the sysobject table.
2. for each table you have to fire ALTER table sql statement.. syntaxt is as following..
sample....
Examples
A. Alter a table to add a new column
This example adds a column that allows null values and has no values provided through a DEFAULT definition. Each row will have a NULL in the new column.
ALTER TABLE doc_exa ADD column_b VARCHAR(20) NULL
B. Alter a table to drop a column
This example modifies a table to remove a column.
ALTER TABLE doc_exb DROP COLUMN column_b
C. Alter a table to add a column with a constraint
This example adds a new column with a UNIQUE constraint.
ALTER TABLE doc_exc ADD column_b VARCHAR(20) NULL
CONSTRAINT exb_unique UNIQUE
|
|
|
|
|
Does that mean that I have to fire ALTER table sql statement for each table manually?I actually want to autamate a text file looping through the table names in the sysobject table,also excluding the sys tables when altering,how can I do that?
pls help.
Thanx Guys!!
|
|
|
|
|
Sure you have to fire a Alter table statement...
I could provide you with a code sample... but later on the day if you are patient.
unless..
You have to read all tablenames from the sysobject-table with the xtype of 'U' and furthermore you have to deselect the tablename 'dtproperties' too, I gues the name is. -This will filter all the usertables.
|
|
|
|