C# - Inserting Into DB With Parameters Safe From SQL Injection?

Mar 15, 2011

I been reading a bit about SQL injection and I want to be sure my code is lets say "safe" from it, I was planning on using RegExp validators to check the user input but another post in here suggested only using parametrized querys, well Im using them but I want to be sure my code is safe, is it?

[code]....

View 3 Replies


Similar Messages:

Web Config Safe From SQL Injection And XSS

Nov 12, 2010

I've a blog-driven ASP.NET website. Under the post, there is a Comment block to let readers post comments.I've used some TextBoxes and TextArea for that.To Prevent XSS:I've filtered the input by using: Server.HtmlEncode() Method (I don't care about text formatting).To Prevent SQL-Injection:I'm using Linq To SQL (that should be like parametrized queries I think!).

ArticlesDataClasses dc = new ArticlesDataClasses();
ArticleComment newComm = new ArticleComment()
{
ArticleID = int.Parse(Request.QueryString["ArticleID"]),
CommentAuthor = Server.HtmlEncode(txtName.Text),
CommentText = Server.HtmlEncode(txtComment.InnerHtml).Replace("
", "<br />"),
CommentAuthorEmail = Server.HtmlEncode(txtMail.Text),
CommentTime = DateTime.Now,
Enabled = false
};

View 1 Replies

C# - Is It Safe Using Dynamic SQL With Parameters

Jan 12, 2011

For example, this is the code that I am using:

String commandString = "UPDATE Members SET UserName = @newName , AdminLevel = @userLevel WHERE UserID = @userid";
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlconnectionstring"].ConnectionString))
{
SqlCommand cmd = new SqlCommand(commandString, conn);
cmd.Parameters.Add("@newName", newName);
cmd.Parameters.Add("@userLevel", userLevel);
cmd.Parameters.Add("@userid", userid);
conn.Open();
cmd.ExecuteReader();
Reader.Close();
}

View 3 Replies

How To Type Safe SQL Parameters And Update

Feb 1, 2010

I have been in the process of updating my code with security methods, and I've been learning this from [URL](or "Security Guidelines: ASP.NET 2.0"). In the middle of the page under "When Constructing SQL Queries, Use Type Safe SQL Parameters" it says "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input".

Now, what was to use code like:

"DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);........"

But, I was already using code like:

"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("someVal", val);"

So now, to use type safe parameters, I decided to include it like:

"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("@someVal", DbType.Int16, val);
dataSource.UpdateParameters["@someVal"].Size = 1;"

So, that would be how I would modify my current code base to use type safe parameters in sql updating/inserting.

Getting to my actual question, as it was said "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". First off, that this should apply to unfiltered input. Also, in their example they only did this for an ID.

So, what I'd like to know, when it comes to "unfiltered input", does this mean as long as the input is unfiltered I must use type safe parameters, or even filtered input shall have this (just to be sure), like, input that has been ran through a regularexpression check? Shall I do this for all values I insert/update into the database, or just IDs and important things?

The way I see it right now is that it would be a good precaution to just do type safe checks on everything (literally) that updates/inserts into the database just to be extra safe. But, I really am unsure if this is really the best idea, because if I did, would this possibly cause overprocessing of information? Can this cause too much strain on server resources?

View 1 Replies

DataSource Controls :: Type Safe SQL Parameters And Update/ Insert Of Database

Feb 1, 2010

I have been in the process of updating my code with security methods, and I've been learning this from [URL] (or "Security Guidelines: ASP.NET 2.0"). In the middle of the page under "When Constructing SQL Queries, Use Type Safe SQL Parameters" it says "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". Now, what they suggested was to use code like:

"DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);........"

But, I was already using code like:

"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("someVal", val);"

So now, to use type safe parameters, I decided to include it like:

"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("@someVal", DbType.Int16, val);
dataSource.UpdateParameters["@someVal"].Size = 1;"

So, that would be how I would modify my current code base to use type safe parameters in sql updating/inserting.

Getting to my actual question, as it was said "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". First off, this suggests that this should apply to unfiltered input. Also, in their example they only did this for an ID.

So, what I'd like to know, when it comes to "unfiltered input", does this mean as long as the input is unfiltered I must use type safe parameters, or even filtered input shall have this (just to be sure), like, input that has been ran through a regularexpression check? Shall I do this for all values I insert/update into the database, or just IDs and important things?

The way I see it right now is that it would be a good precaution to just do type safe checks on everything (literally) that updates/inserts into the database just to be extra safe. But, I really am unsure if this is really the best idea, because if I did, would this possibly cause overprocessing of information? Can this cause too much strain on server resources? If my fears serve true, what would be a good suggestion of how I could implement this properly without having to worry about what I said?

View 1 Replies

Data Controls :: Avoid SQL Injection While Inserting Data

Dec 23, 2015

I am using linq and i want secure coding method in c# so the I can prevent database Injection in my site.

View 1 Replies

DataSource Controls :: Inserting Parameters?

Jan 10, 2010

I'm linking a form to sql database, As far as i know for textbox the code will be like this one below in VB:

dashDataSource.InsertParameters.Add("databaseColumName", NameOFTextBox.Text)

But what is the code for a drop down menu for countries list?

View 3 Replies

DataSource Controls :: Getting Error While Inserting The Values To Parameters?

Mar 19, 2010

I'm using Enterprise library, but the idea is the same. I have a SqlStringCommand and the sql is constructed using StringBuilder in the forms of "insert into table (column1, column2, column3) values (@param1-X, @param2-X, @parm3-X)" + " ";where "X" reprents a "for loop" about 700 rows like so
[Code]....

So after all is done, I have 700 insert statements in one batch and of course, I did another 700 loops and added the values to those parameters. It runs fine and fast for a few days. However, last night, suddenly I get this error

[Code]....

View 2 Replies

DataSource Controls :: Concatonate Fields When Inserting Using Command Parameters

Feb 12, 2010

I would like to use a command parameter to concatonate two fields

protected void Notes0_Inserting(object sender, SqlDataSourceCommandEventArgs e)
{
e.Command.Parameters["Comments"].Value = Eval("LeadID")&" "&Eval("TextBox1");
}

Where the leadID is based on a query string and comments are entered in textbox1

View 1 Replies

ADO.NET :: Inserting Property Values Of Class Into ParamArray Parameters As Object()

Oct 20, 2010

Using the properties as defined in a class, how about can I put them into the ParamArray parameters argument of my function. The code as follows:

Public Class MyObject
Public Property Prop1 as string
Public Property Prop2 as integer
Public Property Prop3 as Boolean
Public Sub AddNewMyObject
MsSQL_ExecuteNonQuery("StoredProc_AddNewMyObject", ________________?)
End Sub
End Class
Protected Function MsSQL_ExecuteNonQuery(ByVal storedProc as string, ByVal ParamArray parameters as object())
'Some Code here.
End Function

View 2 Replies

Is VSS 2008 Really "safe"  Was VSS 2005 "safe"?

Sep 21, 2010

There is not a clear category on the site where to post this, so giving it a shot here.

Has anyone used VS 2008? I current user Turtoise for some projects, and Source Gear Valut for others.

The company where I work is thinking about moving to VSS because of the MSDN subscription.

My experience with VSS prior to VSS 2005 was that it conied the name "Visual Source Unsafe" and I know first hand that it trashed my work more that once and I stopped using it. Source Gear Valut on the other hand is rock solid.

So is VSS 2008 Really "safe" was VSS 2005 "safe" ?

View 3 Replies

ADO.NET :: EF4 CTP5 Safe To Use?

Feb 28, 2011

I wonder if its safe to use the CTP5 in production yet. My main use would be for 2 small projects. I Know they pre released it but any thoughts on this if it would hold up for production are welcome.

View 1 Replies

Safe Way To Encode A Cookie Value In C#?

Apr 23, 2010

When storing a value in a cookie using C#, what is the best way to encode (or escape) the value so that it can be retrieved and decoded/unescaped reliably?

I'm not talking about encryption.

View 1 Replies

MVC :: Getting Safe With ValidateInput As False?

Feb 21, 2011

I want to store certain html tags in my database to the layout of content, for example <h3> and <p> tags. The problem is with ValidateInput set to True, you get "Potential Danger error" when you try sending content with html tags.

With it set to False, you open yourself to all sorts of potential dangers. So Here is what I'm wanting to achieve:

I hope you like the image ! lol I spent 10 minutes in Photoshop to create it.

So eventhing that goes in, I want as encoded, but when I get content back, I want to decode only the <h3> and <p> tags. ! What do you think of my solution ? Bad, Good ?

View 16 Replies

C# - Is It Safe To Always Create A New HttpContextWrapper

Oct 21, 2010

I'm trying to make an existing ASP.NET web forms app more unit testable by using some of the ASP.NET MVC objects, specifically HttpContextWrapper. I've seen examples of its usage and they always create a new object. I disassembled the source with Reflector and see all it does is store the passed HttpContext. But I was curious as to whether or not it's safe to always create a new instance of HttpContextWrapper or follow the singleton pattern somehow? Below is the class I'm using in my app

public static class AppHttpContext {
public static HttpContextBase Current { get { return Getter(); } }
public static void SetContext(Func<HttpContextBase> getter) {
Getter = getter;
}
private static Func<HttpContextBase> Getter = () => new HttpContextWrapper(HttpContext.Current);
}

And I use it similar to HttpContext.Current

AppHttpContext.Current.Session["blah"] = "something";

View 1 Replies

Is It Safe To Use An HttpModule For Localization

Feb 10, 2011

I'm considering making use of an HttpModule for localization purposes (based on the example in this article) - but I'm curious, is this safe?

Here's the code, for reference:

public class CookieLocalizationModule : IHttpModule
{
public void Dispose()
{
}

[code]....

I was under the impression that multiple threads could potentially service a web request. Is it safe to set the Current/Current UI Cultures in an HttpModule like this and have it respected for the life of the web request regardless of how many threads are involved in servicing it?

View 1 Replies

C# - Type Safe Objectdatasources?

Jan 23, 2011

Is there any way to make asp.net objectdatasources to be type safe. Meaning I get a compile time error if parameters or datatypes change during refactoring?Does anyone know any other method? Or can recommend any other way to do it? I find manual binding tedious. What is other people doing?

View 1 Replies

SQL Server :: What If Multiple Output Parameters And Input Parameters And Also Want A Select Table

Feb 16, 2011

[Code]....

When I want to get the output values its okay but I also want returning a table as a result data.But Datareader has no rows.is it possible if I want a returning query result and multiple output values togather ?I wrote a test above.I can get output values as sqlparameters. But Datareader attached to a Gridview is empty.can you detect whats wrong here and it doesnt return a query result.So stored procedure is not standart or ı am doing something wrong.this doesnt raise any exception.but not returning any data.

[code]....

View 8 Replies

How To Define A Route That Have 2 Optional Parameters In The Middle Of The URL The Start An End Parameters Are Digits

Jun 7, 2010

I want to define a route that have 2 optional parameters in the middle of the URL the start an end parameters are digits

[Code].....

View 1 Replies

Enabling CLR On SQL SERVER 2005 Is Safe?

Mar 30, 2011

I am toying with the idea of enabling CLR on my SQL server, using EXEC sp_configure 'clr enabled', 1

However, I am sharing my database server with several other developers and their projects. I've heard vaguely that their might be security issues with enabling this.

Does anyone know what these issues might be? Is CLR safe to use on SQL Server?

View 1 Replies

Asp.net -safe To Store In Custom IIdentity?

Jul 8, 2010

I have created a custom Iidentity object to store specific user settings for logged in users. I was wondering is it safe to store sensitive data like userid's or other id's in the object? Is there any security risk to doing so? Also, how much is too much to store in the object?

View 1 Replies

Is It Safe To Use One Entity Framework Context Per Thread

Mar 30, 2011

Probably these are two questions in one, I am using one EF context per request, but I want to use one per thread, because I am going to make some complex task in another thread during the request. So, is it safe? If the answer is yes, how to do it? how to store objects in thread and get them back?

View 2 Replies

Web Forms :: Is Authentication With Session State Is Safe Enough

Apr 27, 2010

if i write this for example,

if session("authenticated") = ""
response.redirect("default.aspx")
end if

is it safe enough or should i encrypt it?

View 2 Replies

Safe To Use Request.ApplicationPath For Cookie Path

Mar 25, 2010

Is it safe to use such code?

Response.Cookies[cookieName].Path = Request.ApplicationPath + "/";

I want to know about all corner cases.

View 3 Replies

C# Thread Safe Static Read Only Field?

Mar 2, 2010

I have the following code in my ASP.NET project

public sealed class IoC
{
private static readonly IDependencyResolver resolver =
Service.Get("IDependencyResolver") as IDependencyResolver;
static IoC()
{
}
private IoC()

[Code]....

View 2 Replies







Copyrights 2005-15 www.BigResource.com, All rights reserved