DataSource Controls :: Type Safe SQL Parameters And Update/ Insert Of Database
Feb 1, 2010
I have been in the process of updating my code with security methods, and I've been learning this from [URL] (or "Security Guidelines: ASP.NET 2.0"). In the middle of the page under "When Constructing SQL Queries, Use Type Safe SQL Parameters" it says "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". Now, what they suggested was to use code like:
"DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);........"
But, I was already using code like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("someVal", val);"
So now, to use type safe parameters, I decided to include it like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("@someVal", DbType.Int16, val);
dataSource.UpdateParameters["@someVal"].Size = 1;"
So, that would be how I would modify my current code base to use type safe parameters in sql updating/inserting.
Getting to my actual question, as it was said "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". First off, this suggests that this should apply to unfiltered input. Also, in their example they only did this for an ID.
So, what I'd like to know, when it comes to "unfiltered input", does this mean as long as the input is unfiltered I must use type safe parameters, or even filtered input shall have this (just to be sure), like, input that has been ran through a regularexpression check? Shall I do this for all values I insert/update into the database, or just IDs and important things?
The way I see it right now is that it would be a good precaution to just do type safe checks on everything (literally) that updates/inserts into the database just to be extra safe. But, I really am unsure if this is really the best idea, because if I did, would this possibly cause overprocessing of information? Can this cause too much strain on server resources? If my fears serve true, what would be a good suggestion of how I could implement this properly without having to worry about what I said?
View 1 Replies
Similar Messages:
Feb 1, 2010
I have been in the process of updating my code with security methods, and I've been learning this from [URL](or "Security Guidelines: ASP.NET 2.0"). In the middle of the page under "When Constructing SQL Queries, Use Type Safe SQL Parameters" it says "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input".
Now, what was to use code like:
"DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);........"
But, I was already using code like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("someVal", val);"
So now, to use type safe parameters, I decided to include it like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("@someVal", DbType.Int16, val);
dataSource.UpdateParameters["@someVal"].Size = 1;"
So, that would be how I would modify my current code base to use type safe parameters in sql updating/inserting.
Getting to my actual question, as it was said "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". First off, that this should apply to unfiltered input. Also, in their example they only did this for an ID.
So, what I'd like to know, when it comes to "unfiltered input", does this mean as long as the input is unfiltered I must use type safe parameters, or even filtered input shall have this (just to be sure), like, input that has been ran through a regularexpression check? Shall I do this for all values I insert/update into the database, or just IDs and important things?
The way I see it right now is that it would be a good precaution to just do type safe checks on everything (literally) that updates/inserts into the database just to be extra safe. But, I really am unsure if this is really the best idea, because if I did, would this possibly cause overprocessing of information? Can this cause too much strain on server resources?
View 1 Replies
Jul 2, 2010
I use a sp to insert/update records. Parsing a DataTable (many) to a user-define table typesTable type:
[Code]....
Table to Insert/Update:
[Code]....
Will this work (snipp from sp)
[Code]....
View 6 Replies
Mar 24, 2010
I was looking at the options in Intellisense for the properties used with a parameter for the Object Data Source. There is one that I don't understand how it would be used. explain, or recommend an article, about the DB Type is for and how it would be used?
View 2 Replies
Mar 6, 2010
I am using 1 textbox with a Ajax Calendar extender to allow my user's to select a date graphically (exp: 12/15/2009). I have another textbox for the hour and minutes in military time(exp: 15:30). I think i have the code to grab the data from the 2 textbox's and combine them to be inserted into the field (exp: 12/15/2009 15:30). Here is my insert code for the Field:
[Code]....
However unless I make all the fields Nullable the insert fails, on top of that none of the other field that I have selected on the Detailsview Insert or Edit are inserted into there fields. Half of my fields have to be non-null values. So how do I fix this?
I can supply additional vb code and the aspx code if needed.
This is the error I'm getting: Cannot insert the value NULL into column 'Operation_type', table '/GAOSDB.MDF.dbo.BC_Perf_Log'; column does not allow nulls. INSERT fails. The statement has been terminated.'
This is the first non-null column.
I need to get this figured out because I have 30 other web pages that will be utilizing the same approach.
View 4 Replies
Mar 9, 2010
if i do this to set the fetch parameters:
dsList.SelectParameters["client_id"].DefaultValue = Session["client_id"].ToString();
where dsList is my datasource, it works.
but wen i do the samething for the *%^&* insert, it doesnt:
dsList.InsertParameters["client_id"].DefaultValue ="1234";
it keeps saying its null, i dont understand why it woudl be doing this?
View 2 Replies
Feb 16, 2010
http://msdn.microsoft.com/en-us/library/ms178538(VS.80).aspx ?I tried and got error as below, at clicking Update button in detailView
'/CaseExamples' 응용 프로그램에 서버 오류가 있습니다. ==> Server error in application program
ObjectDataSource 'EmployeeDetailsObjectDataSource'에서 매개 변수 (LastName, FirstName, Address, City, Region, PostalCode, original_FirstName, original_LastName, original_Address, original_City, original_Region, original_PostalCode, original_EmployeeID)를 사용하는
네릭이 아닌 UpdateEmployee' 메서드를 찾을 수 없습니다.
View 3 Replies
Jun 22, 2010
I am trying to write a function that can be called to run a stored procedure. I pass the stored procedure name, followed by as many parameters as I need to run the procedure. I am able to do this by using the params keyword, so my function looks something like this;
[Code]....
How can I determine what the data type of the parameter is? Maybe I need to alter the string[] part, above?
View 5 Replies
Sep 23, 2010
I have a FormView which is bound to an SQLDataSource. When a user clicks on a save button the form, I need to write any changes made to the FormView back to the table.
I have a Stored Procedure on my MSSQL 2005 database that should be executed when the user clicks on the save button.
It appears the Update is firing, but when I trap the DbCommand object in the SQLDataSource's 'Updating' event, all of the parameters that should be passed to the Stored Procedure are coming through as NULLs. Consequently, the Stored Procedure isn't updating anything.
In the click event of the save button I'm explicitly firing the SQLDataSource's Update method:
[Code]....
The parameters in the SQLDataSource <UpdateParameters></UpdateParameters> section appear to be correct.
Can anyone give me an idea on what to investigate to figure out why it appears the Update is only picking up NULLs?
View 1 Replies
Jun 14, 2010
I have a SQL datasource, hooked to a gridview. When i submit my updated row, the update parameters fills with the original values, instead of the new values. Am i doing something wrong? I have tried to handle everything in the html, and not code any parameter settings. All my update parameters are called the same as the field in my gridview, and i use a prefix infront of the parameter names in my updatecommand, in my case : (instead of @) since i use oracle.
View 1 Replies
Jan 14, 2010
This is SQL Server 2008 database. I have a tables which has a XML datatype column, Is XML Document = true, and ScemaCollection = InternalAttributeCollection.This is my schema
[Code]....
This is my table
[Code]....
I inserted this:
[Code]....
Now, the xml column is nullable and is currently is null for the John Doe record. I tried this update:
[Code]....
I get this error: "XML Validation: Declaration not found for element 'InternalAttributes'. Location: /*:InternalAttributes[1]"
View 1 Replies
Jan 12, 2011
For example, this is the code that I am using:
String commandString = "UPDATE Members SET UserName = @newName , AdminLevel = @userLevel WHERE UserID = @userid";
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlconnectionstring"].ConnectionString))
{
SqlCommand cmd = new SqlCommand(commandString, conn);
cmd.Parameters.Add("@newName", newName);
cmd.Parameters.Add("@userLevel", userLevel);
cmd.Parameters.Add("@userid", userid);
conn.Open();
cmd.ExecuteReader();
Reader.Close();
}
View 3 Replies
Mar 15, 2011
I been reading a bit about SQL injection and I want to be sure my code is lets say "safe" from it, I was planning on using RegExp validators to check the user input but another post in here suggested only using parametrized querys, well Im using them but I want to be sure my code is safe, is it?
[code]....
View 3 Replies
Apr 19, 2010
i want to update the data of a database through a gridview update button
how can i attach a dataconvertion like this
[Code]....
View 1 Replies
Jan 14, 2011
Not sure where I went wrong with this one, but I can't figure it out now... I've got a DetailsView in an UpdatePanel. A dropdownlist controls which person's details are displayed in the DetailsView. I have the DataSource set to an ObjectDataSource, which has select, insert and update methods defined. I also have a method for the ItemCommand, ItemInserting, ItemUpdating and DataBound events of the DetailsView specified.
When I click "New" or "Edit" on the DetailsView I get the open form with either the details for the current person, or a blank form, exactly as I would expect. But when I click the "Update" or "Insert" buttons it does absolutely nothing. I have it running in debug, and have put breakpoints in the ItemCommand, ItemInserting and ItemUpdating methods, right at the top, and it never goes there. The form remains open, and nothing happens. If I click "Cancel", it posts back and goes back to ReadOnly mode.
A couple more minor details that may be important: This page is using a Master page, which is where the ScriptManager is. I'm actually using the ScriptManager from the AjaxControlToolkit. I also have a GridView in this same UpdatePanel, and that has a FileUpload control in it. Because the FileUpload control doesn't work properly without some tweaking, I have to call a RegsiterPostbackTrigger method on page load to link it back to the Master page's scriptmanager. Not sure if that's causing any issues...?
I had this working fine, but then as the page got more complex and I had to change some of the code, at some point it just stopped working and now I can't figure out how to get this working again... I'm happy to post code if necessary, just thought I'd try this first to see if anyone has a quick idea for what to check.
View 13 Replies
Apr 18, 2010
I have a web project with more than 100 input boxes , so in every INSERT and UPDATE to sql server in front of sql statement I must put the golden N word, so it will be in UNICODE mode. Do we have some alternative of this? How can i make it in EVERY UPDATE and INSERT to sql server in data layer level- make it like u insert UNICODE (without N word) How can you get MSSQL server to accept Unicode data by default into a VARCHAR or NVARCHAR column?
I know that you can do it by placing a N in front of the string to be placed in the field but to by quite honest this seems a bit archaic in 2008 and particuarily with using SQL Server 2005. Example:
cmd = New SqlCommand(sql, ConnectionFromEnum(whichDatabase))
cmd.Connection.Open()
i = cmd.ExecuteNonQuery()
so....
the question is : Am I suppose to make something with SQLCOMMAND to set- "enter evthng like it is UNICODE, with N auto"? or i must specify UNICODE by default in somewhere else? just to indicate that i already set in web.config
<globalization requestEncoding="utf-8" responseEncoding="utf-8" fileEncoding="utf-8" responseHeaderEncoding="UTF-8" culture="en-GB"/>
So global questions HOW TO MAKE INSERT AND UPDATE Unicode by default in every insert and update methods, without placing N word in front of literal string?
View 12 Replies
Sep 3, 2010
Is there a way to create a contact form that takes the name. address and other info for the master record; Then, somehow, on the same page, allow the user to enter multiple contact info as chid records (i.e. phone, email, etc.)
All this using the Objec DataSource or SQL DataSource (which ever is easy) and doesn't require writing too much code.
View 1 Replies
Jul 2, 2010
[Code]....
After this and in the same procedure i want to update the inserted or the updated record which occared in the above code with the follwing update statment :
[Code]....
updating mark is completed successfully if the record is existed (Update Case) but if the record does not exist (new record) ... the update of the mark is not occured ..
View 4 Replies
Mar 4, 2010
Existing records can be updatedNew records can be insertedAll existing records can be deleted & new ones can be insertedExisting records have a primary key field
New ones are just blank inserts
All this detail is stored in a data table. On form update I only want to update existing (only modified rows) & insert new rows. I have gone about loading the changed records in a new data table
DataTable changedRecordsTable = dataTable_old.GetChanges();
How do I compare it with all the records in the old datatable and pass them to the save query ?
View 2 Replies
Jul 6, 2010
[code]....
Im trying to update my DB(DataBase) by using SQL UPDATE query ,but its not updating in the dataBase i receive confirmation(in testLabel) that one row is affected(dataReader = query.ExecuteReader(); return numbers of rows affected)...
I have given a HTML editortext control on a page,which generates HTML (i have to store it in my DB,that page is only for Admin) ,on pressing Update button , im receving in my testLabel that one row is affected(which shows DB is updated succesfully) but when i check my DB its in old state,it is not updating...
Here is my Event handler of Update Button which have to make updates in DB:
[Code]....
[Code]....
View 2 Replies
Jan 23, 2011
Is there any way to make asp.net objectdatasources to be type safe. Meaning I get a compile time error if parameters or datatypes change during refactoring?Does anyone know any other method? Or can recommend any other way to do it? I find manual binding tedious. What is other people doing?
View 1 Replies
Jan 5, 2011
I am *VERY* new to ASP.net. This may seem simple to you all, but I'm really lost. I have a small sized page with three text boxes (part of the InsertItemTemplate) of a formview, and a slightly modified link the system generated to submit the data to be inserted in the database:
[Code]....
If this page is run, it inserts the data into the database fine, clears the form and sits there. I want it to return a simple "Thank you" page in a window of the same size, with a Close Window buttom at the bottom to close the window:
[Code]....
When I set the postbackurl property on the first page, everything appears to work, except the write is never done to the database. If I remove the postback, it works as it did previously.
View 1 Replies
Sep 16, 2010
I have two databases. When I am using MS Visual Web Developer, I can drag the table onto the webpage and it gives me check boxes to Insert, Update, Delete,...When I do the exact thing using the other database, it only has check boxes forpaging, sorting and selection. What is the difference? I seem to have all teh same permissions in both databases.
View 2 Replies
Jul 6, 2010
I need a control to modify data from my data base tables like a GridView. Has ASP.NET the control that I need implemented? Who could I do that?
View 2 Replies
May 7, 2015
how to insert,update,delete row in gridview without saving in database ?suppose 1 textbox,1 button and 1 gridview .textbox and button outside of gridview.
what is the coding of this project ?
View 1 Replies
