|
Yeah, it does.
But what if I typed this into your textbox:
01/01/1999' DROP TABLE test --
What do you think would happen?
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|
Dave Kreskowiak wrote: 01/01/1999' DROP TABLE test --
It will display error.
See one more problem. The datagrid is displaying all the records in page load. After the search command it is loading that search result. But the problem is when i clik the next page it will display all the records. cause i use that query in the pageindexchanged event. can you guide me to solve this problem?
Thanks
|
|
|
|
|
dansoft wrote: It will display error.
Don't be so sure. You're right, this time. This little attack works much better when you concatenate the WHERE of an SQL statement:
"SELECT * FROM table WHERE field = '" & text & "'"
This will generate an SQL statement that looks like this:
SELECT * FROM table WHERE field = '01/01/1999' DROP TABLE table --
Which WILL NOT generate an error. I guarantaa you'll start scratching your head wondering where your table went.
As for paging, you can find a bunch of articles on it by looking through these[^].
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|
Dave Kreskowiak wrote: SELECT * FROM table WHERE field = '01/01/1999' DROP TABLE table --
this will not happen because i'll convert the textbox value to datetime format and using the try catch method. So it will display error message. I checked..
Thanks
|
|
|
|
|
You're not getting it...
Well, you're putting the conversion in NOW. You're previous posts just used the value entered in a TextBox. The "conversion" saves you in this particular case. But try converting a username or password into something else to "verify" it's not SQL "unfriendly".
You just DO NOT concatenate strings together to build SQL statements in real-world code. You have to do so much more to validate that the entered data can do no harm, it's silly. Even after it's been "verified", you still must treat any user input as hostile to your database and write your code accordingly.
Write write your SQL code so the database (without any external help at all) can practically run itself just using stored procedures, views, and triggers. Then you wrap your C# code around that.
If you attempt to get junk like this into a retail product, you'll lose your job immediately.
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|
Thanks for your advise.
Can i use sqlcommand parameters to avoid these kind of attacks? I'm not very advanced in either mssql or asp.net
If possible please send me some sample files that meet the retail product...
Thanks again.
|
|
|
|
|
Hi all,
I was trying to insert a image into my table but it showing a binary data and i was unable to retrive the same image. it is giving some junck characters or some times it is giving binary numbers.
sowjanyakumar
|
|
|
|
|
.Net Programer and developer wrote: it is giving some junck characters or some times it is giving binary numbers.
What is "IT"? An image is just a bunch of data that, when looked at in raw form is a string of junk characters. So what you're seeing is normal, depending on what you're looking at this "junk" with.
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|
I have written a program that access an sql server 2000 database installed on a windows 2003 server machine. Sql server is setup with integrated security and i don't want to change this. if i install my app in a computer that is a member of the domain and logins windows with the credentials of a windows server user account works good. Is there anyway from a computer that is on the same network that logins using a local windows account and does not have access to network resources access sql server? the result i want to have is :asking username and password for a windows 2003 server user account within my app and authenticate the user against windows server when the user wants to access the db.
Thanks in advance
From Greece:
Dimitris Iliopoulos
dimilio@yahoo.com
|
|
|
|
|
If I recall correctly, you can do the same as you do with Windows file sharing: create an account with the same username and password on the server as on the client computer. Integrated Security will fall back on NTLM authentication which should succeed if the passwords match.
This is very hard to maintain, of course.
When adding the account (or group) to SQL Server, to authorize the account to connect, use the server machine name where you would use the domain.
Stability. What an interesting concept. -- Chris Maunder
|
|
|
|
|
Hi,
I have a table consisting of the following columns of relevance:
Day - Integer ranging from 1-9
Demand_Qty - Double value specifying the demand for that particular day.
Demand_Filled - Doulbe value specifying how much of the item was recieved that day.
What I need to find out is how many days it takes before each demand is filled. For example:
Day Demand_Qty Demand_Filled Days_to_Fill
1 10 0 2
2 10 0 2
3 20 10 1
4 5 30 1
5 10 10 -1
The first 3 columns are provided and the Days_to_Fill column is what I need to calculate. A -1 in the Days_To_Fill means the demand was never met. As you can see, the Demand for Day 1 is 10, which is not filled until Day 3. If further clarification is needed, pls inquire.
I'm not sure exactly where to begin so any tips/ideas/solutions would be greatly appreciated. One thing that I believe could get me closer to a solution would be acquiring a cumalative sum of Demand_Qty and Demand_Filled for each day, but I don't know how to do this in SQL... anyone know how? What I mean is a sum that would look like this based on the above sample:
Day SumDemand SumFilled
1 10 0
2 20 0
3 40 10
4 45 40
5 55 50
Thank you for any help in advance, hoping I can get a solution figured out soon for my Project Manager.
-Tom
|
|
|
|
|
Hi all,
Im new to this area of code project,
Just woundering if its possible to have a if statement in the select clause of a sql query in sql server.
I need to convert the ms access version sql:
<br />
Select IIf([OD_STOCK_CODE] Like "**BUPN**",([OD_UNITCST]*0.7)*[OD_QTYORD],0) AS BOXDisc<br />
to an equivilent ms sql syntax
Any ideas
thanks in advance
|
|
|
|
|
Hi there. Take a look at the CASE statement in Sql Server. You probably want something like this:
Select Case When [OD_STOCK_CODE] Like '%BUPN%' Then ([OD_UNITCST] * 0.7) * OD_QTYORD
Else 0
End as BOXDisc
|
|
|
|
|
Use the CASE statement:
SELECT
CASE
WHEN OD_STOCK_CODE LIKE '%BUPN%' THEN (([OD_UNITCST]*0.7)*[OD_QTYORD])
ELSE 0
END AS BOXDisc
FROM
WhateverTable
As a side note, you can use as many WHEN s as you need for your logic.
|
|
|
|
|
the connection is DAO, OS is winxp, I want to disable SSPI. do you know how it is possible?
|
|
|
|
|
DAO?!?! It's been obsolete for quite some time now. It was shipped with Office 2000 and Office XP, but there will no longer be any development or support on the technology. It was also optimized for use with Access databases. Why on earth would you be using it to get to an SQL Server?
You can't turn it off for every application. SSPI is specified on a connection basis inside the application in the connection string used to connection to the database.
RageInTheMachine9532
"...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
|
|
|
|
|
Why does SQL Server Express 2005 save stored procedures in SQL files? That is so annoying.
"If only one person knows the truth, it is still the truth." - Mahatma Gandhi Web - Blog - RSS - Math
|
|
|
|
|
I'm wondering what the best way to implement plug-in reports is. If I use Crystal, which I haven't for over a year, I have the benefit of built-in selection parameters, so I could possibly get away with just 'dropping' the report files into a store, and having my code pull the full report name from the file somehow. The report itself will then handle the selection parameters.
If I do a custom solution, I could follow a plug-in assembly architecture, where each report is packaged as its own class library, with a custom selection screen1 and output grid.
1. Anyone recognise this ABAP/4 term?
I used to get high on life until I realized that life was cut with morons - Unknown
|
|
|
|
|
hi everybody,
i want to know how to menage the optimistic cuncurrency using timestamp.
i've already added a column for every table (timestamp type).
how i can modify the Update command to use it?
(im using C# 2005)
Thank you in advance
Enrico
VentoEngine corp.
Program your life ^^
|
|
|
|
|
During your SELECT statement you can get the timestamp and keep it for updating purpose later.
I usually save the timestamp as long variable.
On your update statement, pass the timestamp as a parameter along with the rest that you need to make sure you update the correct version of the data, e.g.
UPDATE customer<br />
SET [name] = @newname<br />
WHERE [id] = @id<br />
AND [rowversion] = @timestamp <-- timestamp value
Edbert
Sydney, Australia
"A day without sunshine is like, you know, night."
|
|
|
|
|
Dear all,
I have the following case:
In a SQL db, each time a row is changed in a specific table ( say OriginalTable ) i need to insert a row for each changed column in a specific table say ( HistoryTable ) by the following values:
1- The OriginalTable Column name ( i.e. the column that its value is changed )
2- The Old value ( existing before the update process )
3- The New value ( existing after the update process )
I dont know if this can be done using SQL or programmatically from the code.
Plz, if anyone know the solution of that problem using any SQL or Code reply me as soon as possible. ( Note : my application is an ASP.Net project)
thank u all
Rania Adel
|
|
|
|
|
You can use an SQL TRIGGER to create these records automatically whenever a modification is performed. (see CREATE TRIGGER in the SQL documentation).
Also, you can use the COLUMNS_UPDATED() function to determine which columns have been changed (in order to produce the text for the column name).
Hope this helps.
Regards,
Alex
|
|
|
|
|
Anybody know the configuration or command to allow a MySQL database to allow remote host connections? ta.
regards,
Paul Watson
Ireland
Feed Henry!
K(arl) wrote:
oh, and BTW, CHRISTIAN ISN'T A PARADOX, HE IS A TASMANIAN!
|
|
|
|
|
You need to grant privileges to a user with an IP address.
Here's a link[^] with simple demonstration on how to set the user.
I don't think you can setup remote connection without the IP address, but I'm not an expert in MySQL though.
Edbert
Sydney, Australia
"A day without sunshine is like, you know, night."
|
|
|
|
|
Thanks Edbert. I tried that but no luck. It might be another problem all together. It is a Windows box trying to connect to MySQL on a Linux box, so maybe there is a TCP/IP or port problem.
regards,
Paul Watson
Ireland
Feed Henry!
K(arl) wrote:
oh, and BTW, CHRISTIAN ISN'T A PARADOX, HE IS A TASMANIAN!
|
|
|
|