DataSource Controls :: Prevent Injection On Search Query From TextBox Control?
Jun 1, 2010
I've been reading up on SQL Injection and want to go back and implement some measures to prevent these kinds of potential attacks.For example, on our company intranet, we have an address book feature and a search function so the user is able to look a company or a person up from the database/The user will enter their query into a TextBox control and click the Submit button, calling the following function:addybookDS1.SelectCommand = "SELECT * FROM [addressbook] WHERE COMPANY LIKE '%" + search1 + "%' OR CONTACT LIKE '%" + search1 + "%' OR LASTNAME LIKE '%" + search1 + "%' OR EMAIL LIKE '%" + search1 + "%'"search1 is the TextBox controlI had previously implemented this measure:search1 = Replace(search1, "'", "''")But I want to know if there is more I can do here and how I can go about doing it.
I'm using a List Box to get multiple values that will be used in a query.I can loop over the List Box and create the string.i.e. 'blue','red','purple'The string is used in the query: SELECT * FROM TABLE1 WHERE COLOR IN('blue','red','purple'). Is there a way to parametrize multiple values? @COLOR='blue','red','purple'What will be the best practice to prevent SQL injections in this scenario?
I'm looking for something similar to EasyQuery. Some sort of control that lets the user or the admin to select some tables, then some columns for the tables and the conditions, so he can do the query without entering the mysql sentence, only selecting the tables and the rows...
I Have A TextBox for Search Box And A button On My About Us Page ...i want to redirect The Search Box Value On default Page With Search Data from My Datalist That is belongs to Default Page.When I Click On Search Button The Value of Search Box Redirect To Default Page And Show value Data from Datalist
now have tried to locate and find anything about how to make a
TEXTBOX and A Button "Search"
Problem is that I have made this "bellow" and when I then enter a "value" into texbox2 and hit enter on the button it wont show me the "emnenummer" that I have requested.
im not even sure this is the correct way to do a "search"
I want to be able to make a query from three dropdownlists but not all three have to be selected to create results. This is what I have so far :
sub getdata (src as object, e as eventargs) dim strsql as string dim myconnection as oledbconnection dim mycommand as oledbcommand myconnection = new oledbconnection(ConfigurationSettings.AppSettings("MM_CONNECTION_STRING_csrdb")) strsql ="SELECT tbl_case.Case_id, tbl_case.Title, tbl_case.Description, Tbl_Country.Country_Name, tbl_principle.Principle_Name," _ & "tbl_keyword.Keyword FROM tbl_keyword INNER JOIN ((tbl_principle INNER JOIN (Tbl_Country INNER JOIN tbl_case ON Tbl_Country.Country_Id tbl_case.country) ON tbl_principle.Principle_ID = tbl_case.Principle) INNER JOIN tbl_Usedkeywords ON tbl_case.Case_id = tbl_Usedkeywords.case) ON tbl_keyword.Keyword_id = tbl_Usedkeywords.keyword " _ & "WHERE " if DLPrinciple.selectedindex=0 then strsql = strsql & "((tbl_principle.Principle_Name) like '%')" else if DLCountry.Selectedindex=0 then strsql = strsql & "((tbl_country.country_Name) like '%')" else if DLKeyword.selectedindex=0 then strsql = strsql & "((tbl_keyword.Keyword) like '%')" else strsql = strsql & "((tbl_principle.principle_Name) = '" & session("infoprinciple") & "')" + "((tbl_country.country_Name) = '" & session("infoland") & "')" + "((tbl_keyword.keyword) = '" & session("infokeyword") & "')" end if end if end if
This is working perfectly with only one dropdownlist but I can not figure out how to make it work with several.
I'm developing an ASP.NET application which has allows users to search for other users based on their name. This search is done using Linq to SQL. At the moment, I've only got 10 or so users in my database, so I can't really test the efficiency of my search query. I'm new to testing and such, but what is the best way to simulate 100/1000/10000 users on a query? Is there a tool (preferably free) that would allow me to perform tests to see how quickly the database can be searched if it had x number of users?
prevent my data from SQL injection. I have replaced ' with '' (single quote with 2 quote) while doing any operation on sql server. tell me what all i need to do , to prevent my application from SQL injection. my application is in asp.net 2.0 i will use parameterized queries but what about my old projects.. i mean what about where i have written a string query and sending it to sql server as a commandtext. can any one insert sql injection even i have replaced ' with ''?
[URL] .... I Need to search record from GridView by using the textbox but not want to configure this with SQLDataSource Manually (Front End) therefore how to filter gridview from Codebehind.
I am using this code to find titles depending on user criteria:
[Code]....
The search is non-english charachters, and it has some problems. when you looks for "Marker" and in database you have this title: "Markers" it won't find it..... This search just not good enough and I am looking to replace it urgently....
I have SqlDataSource with a few parameters (code below). If I understand this code correctly if parameter is NULL I should receive all items from the query. It works fine with query editor. But when I try to use this query on my page - with DropDownList and Textbox controls as source of parameters - it doesn't work. I suspect that main reason of problem is value which these controls pass to the query. Instead of NULL this is an empty string. Is it possible to pass NULL value from DropDownList or TextBox to the SqlDataSource?
using a linqDataSource control... in the selecting event I have code like the following for a simple search feature:
[Code]....
In general, would dynamically building the 'Where' property of a linqDataSource be vulnerable to sql injection? Or does the control protect against this internally?
I know the following sproc is vulnerable to SQL injection:
[Code]....
I would like to write a call to this sproc that uses SQL injection to execute the additional command:
[Code]....
That way, I can demonstrate the vulnerability of the sproc to SQL injection and test any revised implementations of the sproc using the same test call.
Problem is, SQL injection is harder than I thought! I just can't seem to do it.
Can anyone provide me with text for the sproc call to execute the additional command?
I have a Dictionary<string, bool> where key - control's ID and value - it's visible status to set:
var dic = new Dictionary<string, bool> { { "rowFoo", true}, { "rowBar", false }, ... };
Some of controls can be null, i.e. dic.ToDictionary(k => this.FindControl(k), v => v) will not work because key can't be null. I can do next:
dic .Where(p => this.FindControl(p.Key) != null) .ForEach(p => this.FindControl(p.Key).Visible = p.Value); // my own extension method
but this will call FindControl() twice for each key. How to avoid double search and select only those keys for which appropriate control exists? Something like:
var c= FindControl(p.Key); if (c!= null) return c; but using LINQ.
I want a word search i doing the search like this , but it is giving character wherever there is in the string,if i give two character like ok it is searching for a full string where ever Ok is there select * from table1 where textfield like '%word%' this query would match word but also wordabc how can i make it aware of delimitions
What I want to do is create a parameterized query in the code behind with the parameters being values from the calendar control
I'm trying to modify the select command already declared in the sqldatasource so I think it should be something like
SqlDataSource2.SelectCommand = "SELECT * FROM Activities WHERE StartDate>@StartDate AND StartDate<@StartDate2"
but the main problem I am having is how to declare the value of @StartDate, I thought it would be simply calendarID.selecteddate but this doesn't seem to be right, I've tried different variations I've found in similar threads but can't get it right
I'm not sure if grouping my results is complicating matters but when I hard code dates in it works Ok so I don't think so
the code I was trying to get working is
Dim theFilter as String = "WHERE StartDate>@StartDate and StartDate<@StartDate2" SqlDataSource2.SelectCommand= "SELECT DATENAME(month, StartDate) AS Expr1, YEAR(StartDate) AS Expr2, SUM(CGUPreSchool) AS Expr3, SUM(CGUPrimary) AS Expr4, SUM(CGUSecondary) AS Expr5, SUM(CGUYouth) AS Expr6, SUM(CGUAdult) AS Expr7 FROM Activities WHERE " & theFilter & " GROUP BY YEAR(StartDate), DATENAME(month, StartDate)"
I am trying to build the filter part dynamically you see but can't get this right
I'm trying to implement a recipe search page that allows users to specify search criteria by selecting checkboxes that match desired recipe attributes. All the data is stored in a database uing tables with 1 - many relationships. Each recipe can have multiple attributes from any of 5 attribute tables. I want to find all the recipes that match the user-selected criteria and display them in a grid. For example, the user may want a breakfast (attribute 1) recipe that is made with fruit and milk (attributes 2 and 3), is low-fat and high fiber (attributes 4 and 5), and takes less than 15 minutes to prepare (attribute 6). The query for this example might look something like:
FROM recipes, recipeMeals, recipeDishes, recipeFoodGrps, recipeNutrients, recipeFixTimes
WHERE recipes.id = recipeMeals.recipeId and recipes.id = recipeDishes.recipeId and recipes.id = recipeFoodGrps.recipeId and recipes.id = recipeNutrients.recipeId and recipes.id = recipeFixTimes.recipeId and recipeMeals.mealId in (1) and recipeDishes.dishId in (5) and recipeFoodGrps.fdGrpId in (1, 6) and recipeNutrients.nutrAttsId in (2, 3) and recipeFixTimes.fixTimeId in (1)
I' can generate the SQL but can't figure out how to bind it to a grid control. No could I see how to get any of the data controls to build the query for me. Is there a way to say "execute this query and display the results in a GridView"?
