Our database affected with SQL Injection. so We need to create a sql server 2005 new login for SQL Injection prevention. User can perform, access tables with select, update and delete queryaccess views, functions and stored proc perform cursor. what are the permissions given for that login account?
View 1 Replies
I have a textBox and a property to get and set its value:
public SomeText
{
get { return HttpUtility.HtmlEncode(textBox.Text); }
set { textBox.Text = HttpUtility.HtmlEncode(value); }
}
I have used HtmlEncode to prevent Javascript injection attacks. After thinking about it though I'm thinking I only need the HtmlEncode on the getter. The setter is only used by the system and can not be accessed by an external user.
implementing login control programmatically using sql server 2005. can anyone give me good web reference about the topic? i am new to this development.
development tool i am using:
>visual studio 2008
> sql server management studio 2005
>windows 7 ultimate(32 bit)
how to create a login form using the login controls present in the toolbox?
or should i o for creating the layout of the login myself and then code it accordingly?
I dont know where to start, but I have a simple issue that you may be able to resolve.
I have a SQL database that contains a table with user name / password / Account level in it.
What I am trying to do is to create a Login page that will use this database and table to authenticate the login.
I have spent some time looking about for an example, and the nearest that I have found is for an access Database, but I really need this to work with SQL.
I'd just gotten the MVC application I'm working on to connect to the database when the machine it was on went down. Now, for development purposes, I've installed the database on my local SQL Server 2005 Express installation. I jumped through all the hoops for getting the connection set up. I have:
Opened the Surface Area Configuration and set it to allow Local and remote connections. In the same area, I set the SQL Server Browser to Automatic startup and started it. In SQL Server Mgmt Studio Express, under Security/Logins, I added a user with a Server Role of 'sysadmin' and in User Mapping for the specific database in question I checked 'db_owner'. I also restarted the services and then rebooted the machine when restarting the services didn't work. But it's still giving me the following error:
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections. (provider: SQL Network Interfaces, error: 26 - Error Locating Server/Instance Specified) Here's the weird part. I can open SQL Server Mgmt Studio Express and log in with the user I created as described above. Login is successful, and I have complete access to the database. In Server Explorer, I've set up a connection to this exact same database without any problems. I can connect to it and list the tables, get their data, etc., no problem. I can also use the "osql" command to connect to and retrieve data from the same database.
It seems safe to say that the database is definitely there and can be connected to. So, I thought there must be something wrong with my connection string. Since the Server Explorer is connecting to and displaying data from the database, I copied its connection string, which looks a lot like this:
Data Source=myServerSQLEXPRESS;Initial Catalog=myDatabase;Persist Security Info=True;User ID=SwinglineUser;Password=***********
Of course, the Password has been replaced with the actual password (just in case someone thought I might have forgotten that step). So, absolutely everything I try connects to the database without the slightest issue, except for my MVC application. I'm not sure what else to try. Could there be some difference in how to set things up if you're connecting to a local server?
I have an ASP.NET MVC 2 web site that runs okay on my local machine. The first page that comes up uses data from a SQL Server 2005 database that is on a separate machine.
When I deploy the website to an IIS 6.0 web server and try to open the website in a browser on the web server desktop I get the following:
Server Error in '/AutoDoc' Application.
Login failed for user ''. The user is not associated with a trusted SQL Server connection.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Data.SqlClient.SqlException: Login failed for user ''. The user is not associated with a trusted SQL Server connection.
Source Error:
Line 27: </div>
Line 28:
Line 29: <% Html.RenderAction("GenreMenu", "DocStore"); %>
Line 30:
Line 31: <div>
Source File: c:InetpubAutoDocAutoDocViewsSharedSite.Master Line:
29
Stack Trace: [SqlException (0x80131904): Login failed for user ''. The user is not associated with a trusted SQL Server connection.]
There are so many ways to approach this that IM a little lost in the forest. What is the best way to address giving the hosting web server access to the database server? Or should I say give the web site access to the specific database?
i have installed sql 2005 more than 100 times , but this time
View 3 RepliesI created the web application using asp.net 2.0, c# and sql server 2005sometimes i am getting the following error,Message: Unable to validate data.Source: System.Web
TargetSite: Byte[] GetDecodedData(Byte[], Byte[], Int32, Int32, Int32 ByRef)
StackTrace: at System.Web.Configuration.MachineKeySection.GetDecodedData(Byte[] buf, Byte[] modifier, Int32 start, Int32 length, Int32& dataLength)
at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString)
How to create a SQL Server 2005 connection string .... if my site path on server is
[URL]
Is it possible to create a MS SQL 2005 database using Visual Studio 2008?
How about using Visual Web Developer 2008 Express Edition?
VWD 2008 Express. Visual Basic. SQL Server 2005. I am trying to create a scalar function in SQL Server 2005 wherein I pass a string that respesents a portion of a WHERE clause in the function's SQL statement. I would be passing things like "GDate>1/1/2010 and GDate,1/1/2011" or "Year(GDate)=2010" When I try to build the function it errors out saying basically that the @WhereClause is not a boolean expression. Does anyyone know how I could accomplish this? The part it does not like is in red.
[Code]....
How to create a primary key as A1/D-M/100000 in SQL Server 2005 in Visual Studio 2008 ?
View 4 RepliesI used SQL SERVER 2008 R2 express as my web development database and I set its compatibility level to 2005. Unfortunately this database cannot be be attached to SQL server 2005. Are there any other options?
View 3 RepliesI've used the WebPI to install SQL Server Express 2008 and VWD2008 SP1. I made sure to install SQL Server first then install VWD. Whenever i use VWD now though and try to add a new SQL Server Database to my website i get the error message "Connections to SQL Server Files (*.mdf) require SQL Server Express 2005 to function properly."
I'm a little stuck as to where to proceed with this error. I've un-installed everything web development related and re-installed and still get the same error. I was under the impression that VWD2008 SP1 required SQL Server Express 2008 and wouldn't work with SQL Server Express 2005 so can't understand why it now wants it to be installed.
I have visual studio 2005 and sql server standard edition installed on my desktop. Im trying to get my head around the authentication and role administration part of visual studio controls.
At the moment Im using the browser version to configure the settings.
While im attempting to access the security tab to develope, users and roles i keep getting a message saying im unable to connect to the database. However, when i use my collogues PC with SQL server express installed it connects with no problems.
Does anyone have an idea how i configure this tool to use SQL server standard edition so i dont have to go back to express?
I have a list with users logins. I need to create for each of them a login on the server (SQL Server 2008) with password hashed in md5. How can I do that in the easiest way?
View 2 Repliesi install sql sever 2008 and i want use as a serve side authentication. How to cerate server side loging["userid" , "Password"] it directly apply on sqlserve 2008 not any sqlquery
View 2 Repliesi had the sql 2008 enterprise and i want to go back to sql server 2005 because in 2008 i created new database but when i did some changes in the table , it gave me an eror that i cant save thins and i need to creat new one if some one know what i'm talking aboutif not i need the sql server installation tutorial i tried by myself but probebly i did it wrong and now i cant connect well to the sql
View 2 RepliesI'm trying to make a shopping cart and i've reached where I can select the item and view it by itself and click the add to cart but I no Idea how to make the cart .I got one from this site http://csharpdotnetfreak.blogspot.com/2009/05/aspnet-creating-shopping-cart-example.html but it dosen't work with my application since i've built in my own Authentication and they use windows authentacion.
View 2 RepliesI'm developer moving from C# to Java. Heard about new ASP net feature. <%: %>. It renders object with html encoding. Only these impolementing IHtmlString interface are not encoded (to prevent double encoding).See more in http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx
View 2 RepliesIn the notes for Step 1 in the "How To: Prevent Cross-Site Scripting in ASP.NET" it is stated that you should "not rely on ASP.NET request validation. Treat it as an extra precautionary measure in addition to your own input validation."
View 2 RepliesI want to modify a Stored Procedure for blocking injection :
This is the original Stored Procedure (working fine) :
[Code]....
And this is my Stored Procedure with variables :
[Code]....
Why this is not working? I got a "Conversion from type 'DBNull' to type 'Boolean' is not valid."
I'm using a List Box to get multiple values that will be used in a query.I can loop over the List Box and create the string.i.e. 'blue','red','purple'The string is used in the query: SELECT * FROM TABLE1 WHERE COLOR IN('blue','red','purple'). Is there a way to parametrize multiple values? @COLOR='blue','red','purple'What will be the best practice to prevent SQL injections in this scenario?
View 10 Repliesi m currently creating an article module, and i want if user wana comment on to the any particular artical, than he should login any of his mail id like gmail, yahoo hotmail etc and than post his or her comment and after than comment should go into the DB.
View 3 Replies
