|
your code has two problems:
1.
when tblocation.Text contains either nothing or some special characters (including single quote, double quote, parenthesis, ...) then your VB statement will happily concatenate everything, however it will not result in a valid SQL statement.
2.
when a malicious user enters some special stuff through tblocation.Text, the net result may be a valid SQL statement with side effects you don't want; by providing some text, a quote, a closing parenthesis, a semi-colon, then whatever follows would be executed as a second SQL statement, and could e.g. delete an entire table. This problem is known as "SQL injection attacks".
There are basically two solutions:
1.
the best one is using SqlParameter, which means no string concatenation is used holding user input; all user input is handled separately, see SqlCommand.AddParameter().
This approach solves both problems.
2.
check and filter the textbox input; make sure there is nothing you don't want. If you want to allow quotes (as required in your example), then you may have to resort to special encoding, e.g. you could double the character on insertion, telling the database engine a single quote is required in the data.
|
|
|
|
|
The dirty fix is to replace ' with '' in your string.
That'll work but it's not a good idea for the reasons described by Luc.
Use parameters when inserting values into SQL like this.
|
|
|
|
|
thanks.
I think you clicked the wrong reply widget though.
|
|
|
|
|
sample (i have text like this):
username:marin;password:12345;lastlogin:12.12.2012;
i encrypt it with password(1111) using (http://www.di-mgt.com.au/properpassword.html[^]) and then i have something like:
FS238sdshdio92upishSDSDJfssf87s9dSFSSJDJ bla bla bla
and i save that "bla bla" into a file somewhere in application directory and when i start application again i decrypt and get info from file.
thats safe encryption but what for if annyone can see my application executable code and see with what password i encrypted it! or i am wrong?
thanks!
|
|
|
|
|
Nope, you're not wrong! A .NET assembly can be reversed with .NET Reflector and can figure out what you did to encrypt it. Tha's what obfuscators are for.
And if it was THAT critical, you should probably write the crypt/decrypt code in C++, not managed code.
|
|
|
|
|
Don't put the password in the executable; basic security!
It's time for a new signature.
|
|
|
|
|
How you encrypt this depends on who you are protecting it from and how important it is.
If this is a client-server application, a better option would be storing the encryption key on the server, and randomly generating it the first time the server runs. The client never sees the decrypted information, you just use a different "LoginFromEncryptedCredentials" method that passes the raw encrypted data, which the server decrypts and tries to process. When you want to store credentials, you call "GetEncryptedCredentialsFromServer" and pass it the information you want to encrypt. The key here is that the client machine NEVER sees the encryption key. If the client machine EVER has it in memory, then it can be retrieved.
If this is just a client application with no server, and you are saving the current user's credentials, you would be much better served encrypting the file with built-in windows file system encryption. This would hide it from everyone except the current user in a secure fashion.
|
|
|
|
|
|
You can change the name of the property right?
|
|
|
|
|
The obfuscator changes the name of the property.
But I cannot tell it to change DisplayMember accordingly.
Can I re-write this code so the DisplayMember is not a string with a function name?
Atara
Atara
|
|
|
|
|
Depends on the obfuscator. Most won't change the string, so you'd have to exclude it.
|
|
|
|
|
|
Hi,
In DeepSea Obfuscator, you can obfuscate this if you exclude the property from renaming by attaching the standard Obfuscation attribute to it.
Kind regards,
Ewout Prangsma
|
|
|
|
|
It seems that I must exclude it. and there is no way to re-write the code so I donot use function-name as a string.
Thanks
Atara
|
|
|
|
|
There actually is a way if you are using .NET 3.5 or higher, using expression trees. You would create a helper method called GetPropertyName(Expression propEx), and call it like:
this.myCtrlCmbFontName.DisplayMember = GetPropertyName(() => this.mcpGetName);
(sorry, C# syntax, I'm not too familiar with VB, but I think you get the idea).
The GetPropertyName method would traverse the expression tree and find the appropriate property name being accessed by the provided expression. You will have to do some Googling from here to figure out the rest, but if you have any specific questions once you get going, feel free to ask.
|
|
|
|
|
Thanks. meanwhile I use .Net 2, for "old" computers, but I will keep this in mind when upgrading.
Atara
|
|
|
|
|
No problem. Actually, a correction, I think it will work on .NET 3.0+, but that still doesn't help you
|
|
|
|
|
Yes, you will need to exlcude it from obfuscation. BTW which obfuscator are you using? Crypto Obfuscator has a cool feature which lists all such code points which need attention.
|
|
|
|
|
My program has a class to do some analysis that is run on a separate thread. When the work is done, it raises an event called AnalysisDone which the main form then handles. Below is my code to handle the event.
Private Sub AnalysisDone() Handles DustWipeAnalysis.AnalysisDone
If Me.InvokeRequired Then
Me.Invoke(New AnalysisDoneDelegate(AddressOf Me.AnalysisDone))
Else
GenerateSummarySheet()
End If
End Sub
Now this function was working, but all of a sudden it is throwing a NullReferenceException at the Me.Invoke line. I don't understand why it was working and then just stopped when nothing was changed with the function, or the function that raises the event in DustWipeAnalysis class. Almost forgot, the AnalysisDoneDelegate is defined at the top of the main form as Delegate Sub AnalysisDoneDelegate()
|
|
|
|
|
Never mind I figured out the problem. I was trying to call the wrong object that was created on a separate thread and this caused the NullReferenceException.
|
|
|
|
|
At my company, we receive test results from a lab in Excel files. However, sometimes the files are saved in BIFF7 format which I cannot read with the tools I have (and I've tried several different ones), and I doubt the lab will change how they do things just for me. Is anyone aware of any third-party tools (preferably free or very cheap) that I can use to convert BIFF7 files to BIFF8 format or later? Right now I'm doing it with Excel automation but I would prefer not to do it this way if I don't have to. Thanks in advance.
|
|
|
|
|
Did you ask them whether they can provide BIFF8 consistently?
If you are ordering and paying for the tests, just specify you need BIFF8!
|
|
|
|
|
I have a request into them, but I trying to find alternates just in case they say they can't because of however they operate.
|
|
|
|
|
I just happend to encountere the same problem.
May I know how do you convert it using Excel automation?
I am trying to do so but failed. thanks.
|
|
|
|
|
Okay, I just started back working on my web browser, and I want to have my custom context menu show up when the user clicks inside the browser..... This is what I have...
Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load
Dim Browser As New WebBrowser
TabControl1.TabPages.Add("New Tab")
Browser.Name = "Web Browser"
Browser.Dock = DockStyle.Fill
TabControl1.SelectedTab.Controls.Add(Browser)
AddHandler Browser.ProgressChanged, AddressOf Loading
AddHandler Browser.DocumentCompleted, AddressOf Done
Int = Int + 1
CType(TabControl1.SelectedTab.Controls.Item(0), WebBrowser).Navigate(UrlLocation.Text)
End Sub
That is where I suspect the bit of code will have to go... Since I'm using Tab Control instead of the WebBrowser...
Also, within the Context Menu, I am stuck on two parts...
Private Sub OpenLinkInNewWindowToolStripMenuItem_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles OpenLinkInNewWindowToolStripMenuItem.Click
End Sub
Private Sub OpenLinkInNewTabToolStripMenuItem_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles OpenLinkInNewTabToolStripMenuItem.Click
End Sub
What code would I add there to have it allow the user the option to open the Link in a new tab or a new window when they right-click over a link on the current webpage?
This is all I should need to complete my Web Browser for now.... Thanks.
~tbs
|
|
|
|