I would now like to check if my code is still open to SQL Injections after this work. I believe the code is now working as it should, but any blinding errors that you see i'd love to hear about too. My code is now looking like:
-code removed-
using a linqDataSource control... in the selecting event I have code like the following for a simple search feature:
[Code]....
In general, would dynamically building the 'Where' property of a linqDataSource be vulnerable to sql injection? Or does the control protect against this internally?
I have a couple of queries that I need to run one to a linked server and one not like this
Dim InvestorLookup As String = "DECLARE @investor varchar(10), @linkedserver varchar(25), @sql varchar(1000) "
InvestorLookup += "SELECT @investor = '" & investor & "', @linkedserver = '" & db & "', "
InvestorLookup += "@sql = 'SELECT * FROM OPENQUERY(' +@linkedserver + ', ''SELECT * FROM db WHERE investor = ' + @investor + ' '')' EXEC(@sql)"
Dim queryInvestorLookup As SqlCommand = New SqlCommand(InvestorLookup , conn)
Dim BondNoDR As SqlDataReader = queryInvestorLookup.ExecuteReader()
Dim PasswordCheck As String = "DECLARE @investor varchar(10), @password varchar(20), @linkedserver varchar(25), @sql varchar(1000) "
PasswordCheck += "SELECT @investor = '" + investor + "', @password = '" + password + "', @server = '" + db2 + "', "
PasswordCheck += "@sql = 'SELECT * FROM @server WHERE investor = @investor AND password = ' + @password + ' '' EXEC(@sql)"
Dim queryPasswordCheck As SqlCommand = New SqlCommand(PasswordCheck, conn)
Dim PasswordDR As SqlDataReader = queryPasswordCheck.ExecuteReader()
As far as I can tell from debugging the queries both run as they should but I get the error There is already an open DataReader associated with this Command which must be closed first. Is it possible to run two queries in two different DataReaders. I need to later reference each DataReader and select values from each.
We moved to a new SQL server and I started getting an error on one of my sps only when I ran it from a website. If I manually ran the sp it worked fine. The error I got was this System.Data.SqlClient.SqlException: OLE DB provider 'Microsoft.Jet.OLEDB.4.0' cannot be used for distributed queries because the provider is configured to run in single-threaded apartment mode. I can tell you that this sp does some things, then calls another sp which writes some sql to open an excel file and insert the data. Here is the pseudo
SET @sql = 'INSERT INTO dbo.TempParts (partKey, partKeyNumeric, partKeyAlpha, PartNumber, [Description], Comment, notAvailable ,BatchID)
I am using c#.net web application.I will not allow reply attacks in my application.How do i prevent from the same.
View 3 RepliesThis involves using the Membership provider to add a comment to users server side records when they log in and out, and then confirming that when a cookie is used to authenticate, that the user hasn't logged out. This makes perfect sense to me. Where this starts to fall apart is that we do not currently use a membership provider, and so it seems like I face reimplementing all our authentication code to use a membership provider. We currently check authentication in a controller, and make a call to FormsAuthentication.SetAuthCookie() once we know the user exists. It would be a lot of work to force a membership provider in.
Is all this work really neccesary. Can I roll my own key value store of cookie values to logged in users and just make sure I clear this when a user hits the logout button. If this seems unsafe is there a way of implementing a minimal Membership provider in order to make these checks without handing off all authentication code to it?
I guess my main problem here is that we decided a long time ago that the membership provider model doesnt fit with the model we use for locking and unlocking accounts, and chose not to use it. Now we find that the MS recommendations specifically mention a membership provider, and as this is security I need to be sure that not using it as they recommend isn't going to cause troubles.
Let's say a security tester uses a proxy, say Fiddler, and records an HTTPS request using the administrator's credentials-- on replay of the entire request (including session and auth cookies) the security tester is able to succesfully (re)record transactions. The claim is that this is a sign of a CSRF vulnerability.
What would a malicious user have to do to intercept the HTTPS request and replay it? It this a task for script kiddies, well funded military hacking teams or time-traveling-alien technology? Is it really so easy to record the SSL sessions of users and replay them before the tickets expire?
No code in the application currently does anything interesting on HTTP GET, so AFAIK, tricking the admin into clicking a link or loading a image with a malicious URL isn't an issue.
When a user presses Button1 on the Webpage, I would like to copy slightly modified string from txt1 (Text) into txt2 (Text).
The problem is sometimes I get an error "a potentially dangerous request.form value was detected from the client validaterequest". I get this error when special symbols llike "<" or ">" are in txt1.Text.I've read about that problem. That error is to prevent from hackers who can input scripts into the txt1.All I did is:
1) Put validateRequest="false" into <%@ Page Language="VB" validateRequest="false" at Default.aspx.
2) Default.aspx.vb contains now:
sHTMLEncodedString = Server.HtmlEncode(txt1.Text))
[code]....
Now it works and allows to take any data from txt1, slightly modify it and put into txt2.So, my question is: Did a level of security was reduced after I wrote validateRequest="false" ? Any code should be added to keep the good level of security? Or, I'd better use another way to copy txt1 to txt2?
where does following HTTP error message come from:
Due to the presence of characters known to be used in Cross Site Scripting attacks, access is forbidden. This web site does not allow Urls which might include embedded HTML tags.
We're using dynamically generated URLs and in this specific case the URL contains the characters '<' or '>'. We do URL encode the generated URL (so '%3C' appeary instead of '<') but it doesn't Our setup is ASP.NET MVC / IIS 7.5 / IE8. It's strange but it looks like the error appears only on some machines. So it could be that the IE internet zone settings are playing a role.
I have a ASP.NET XML web service (asmx) running on .NET 3.5. I am trying to figure out how best to prevent replay attacks. Is there any inherent security by .NET 3.5 that should mitigate this issue, or do I need some kind of SOAP header token value?
View 1 RepliesI am using microsoft visual web developer 2010 to build and publish my website, I am facing a security problem. My website has authentication service for my clients, each one he has his own user name and password. After I introduced a new member, my database collapsed, may be this last member is a hacker. Is their a way to improve security vulnerabilities to prevent future attacks. May be through web.config, could be encrypted.
View 11 RepliesI want to display the world's top 100 IT giants list up-to-date on my webapge. from where can i get the informaiton? Is it possible to get the RSS feed for this?
View 4 RepliesI want to know how my data could be compromised using a statemnt like SELECT [ID], [item], [price] FROM [Items] where item LIKE '%' + mitem + '%'" what line of could be considered an attack to the data.
View 16 RepliesI've a blog-driven ASP.NET website. Under the post, there is a Comment block to let readers post comments.I've used some TextBoxes and TextArea for that.To Prevent XSS:I've filtered the input by using: Server.HtmlEncode() Method (I don't care about text formatting).To Prevent SQL-Injection:I'm using Linq To SQL (that should be like parametrized queries I think!).
ArticlesDataClasses dc = new ArticlesDataClasses();
ArticleComment newComm = new ArticleComment()
{
ArticleID = int.Parse(Request.QueryString["ArticleID"]),
CommentAuthor = Server.HtmlEncode(txtName.Text),
CommentText = Server.HtmlEncode(txtComment.InnerHtml).Replace("
", "<br />"),
CommentAuthorEmail = Server.HtmlEncode(txtMail.Text),
CommentTime = DateTime.Now,
Enabled = false
};
I have a page using an injected BLL service: a simple service returning a set of objects with a function like this:
public IMyService { List<Foo> All(); }
There is a default implementation for normal users.Now, i need that users in administrative role can view more objects, with another implementation of the service.Where can i configure my page to use the second implementation?
My first solution is to put the dependency to the IUnityContainer in the page, and use it to resolve the dependency:
[Dependency]
public IUnityContainer Container { get; set;}
Page_Init(..) [code].....
it's a ServiceLocator and it's neither scalable neither testable.
During the design of a new generic authentication framework for some of our products, I have come across an architectural issue I cannot seem to find a good solution for.I have tried to simplify the problem in order to easily explain it.
The library has two classes:
Manager Is responsible for storing currently authenticated users.Module It is the responsibility for the module to validate each request according to security policies. The Module must ask the manager to determine whether a user is currently authenticated.
Now the manager is supplied an implementation of an interface which allows the manager to load users from a repository. The specific implementation is not contained in this library. Because of this, I cannot directly instantiate an instance of the repository within the library.
I have no way of modifying properties or supplying arguments for the module constructor. So my question is this, how can I give the module a reference to an instance of the Manager?
namespace Demo
{
public interface IRepository
{[code].....
prevent my data from SQL injection. I have replaced ' with '' (single quote with 2 quote) while doing any operation on sql server. tell me what all i need to do , to prevent my application from SQL injection. my application is in asp.net 2.0 i will use parameterized queries but what about my old projects.. i mean what about where i have written a string query and sending it to sql server as a commandtext. can any one insert sql injection even i have replaced ' with ''?
View 3 Repliesi almost finished my website
but i am afraid of sql injection to my website
how i can protect my self against this injection ...?
How to protect from sql injection where if a ' is put in the end of the URL there is an error ?
View 12 Repliesas i've read Ninject is the best one so how to use it and why i cannot see good examples.
Lately i have begun learning MVC and as i've seen every one use DI in the MVC, i have a couple doesn question but i will ask a few lol...
1. Why use and what is going to do for me?
2. How to use it in WebForms Appliction ?
3. IoC is the same if not what is it and what's it doing?
4. I want to use a Ninject FrameWork 2.0 but i cannot find good examples for WebForm App.
I have a custom constraint that queries a value against a repository. Is it possible to replicate the dependency injection available to controller constructors?
View 1 RepliesThis project is pretty far away and I'm not in the position to go make changes all over the place (If I could, deleting the lot would be what I'd do!)
I want to create a modelbinder that would resolve any dependencies my View Models might have (using StructureMap).
It should not require me to implement a specific interface (so many developers, so many interfaces..I rather keep things clean) and hopefully not require one to go register each model binder individually (Now I'm asking too much,taking the first requirment
in consideration).
Probably will get it right tonight, but figured I'd ask.
Recently I was asked to express the DI in colloquial explanation.
I answered :
1)I am going to a hotel.I ordered food.The hotel management asks me to clean the plates and
clean the tables.So here i am a client,I am responsible for managing the service (Instantiating,executing,disposing).But DI decouples such tasks so the service consumer no need not worry about controlling the life cycle of the service.
2)He also asked is there any microsoft API follows DI ?.I answered (This was my guess) In WCF you can create a Proxy using ChannelFactory that controls the life time of your factory.
for item (1) he said only 10% is correct
for item(2) he said that is factory pattern not dependency injection.
Actually what went wrong in my explanation (apart from my bad English) ? What is the real answers for those?
I have been looking at learning dependency injections (i think i have now grasped the basics) and am looking to implement it into a webform application. My question is, what dependency injection framework should i use for a webforms project, or is it a question of what works best for you?
I Have currently looked at Spring.Net, Ninject, Unity and StructureMap, i tend to have no preference in the configuration, whether its XML or fluent interfaces. However is XML configuration becoming less favourable?
Most of the information i come across relates to dependency injection whilst in a MVC environment. And have also read that some frameworks such as Structure Map only work with webforms using version 2.0 or earlier. So the kind of things i need to consider are whether webforms will be continuous support, and the ease of configuration for someone relatively new to the pattern.
Incorrect syntax near 'are'. Unclosed quotation mark after the character string ')'.
how to protect my SQL database by using Csharp.net against a SQL injection.