How To Type Safe SQL Parameters And Update
Feb 1, 2010
I have been in the process of updating my code with security methods, and I've been learning this from [URL](or "Security Guidelines: ASP.NET 2.0"). In the middle of the page under "When Constructing SQL Queries, Use Type Safe SQL Parameters" it says "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input".
Now, what was to use code like:
"DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);........"
But, I was already using code like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("someVal", val);"
So now, to use type safe parameters, I decided to include it like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("@someVal", DbType.Int16, val);
dataSource.UpdateParameters["@someVal"].Size = 1;"
So, that would be how I would modify my current code base to use type safe parameters in sql updating/inserting.
Getting to my actual question, as it was said "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". First off, that this should apply to unfiltered input. Also, in their example they only did this for an ID.
So, what I'd like to know, when it comes to "unfiltered input", does this mean as long as the input is unfiltered I must use type safe parameters, or even filtered input shall have this (just to be sure), like, input that has been ran through a regularexpression check? Shall I do this for all values I insert/update into the database, or just IDs and important things?
The way I see it right now is that it would be a good precaution to just do type safe checks on everything (literally) that updates/inserts into the database just to be extra safe. But, I really am unsure if this is really the best idea, because if I did, would this possibly cause overprocessing of information? Can this cause too much strain on server resources?
View 1 Replies
Similar Messages:
Feb 1, 2010
I have been in the process of updating my code with security methods, and I've been learning this from [URL] (or "Security Guidelines: ASP.NET 2.0"). In the middle of the page under "When Constructing SQL Queries, Use Type Safe SQL Parameters" it says "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". Now, what they suggested was to use code like:
"DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);........"
But, I was already using code like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("someVal", val);"
So now, to use type safe parameters, I decided to include it like:
"var dataSource = (SqlDataSource)form1.FindControl("sqlDataSource5") ;
dataSource.UpdateParameters.Add("@someVal", DbType.Int16, val);
dataSource.UpdateParameters["@someVal"].Size = 1;"
So, that would be how I would modify my current code base to use type safe parameters in sql updating/inserting.
Getting to my actual question, as it was said "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". First off, this suggests that this should apply to unfiltered input. Also, in their example they only did this for an ID.
So, what I'd like to know, when it comes to "unfiltered input", does this mean as long as the input is unfiltered I must use type safe parameters, or even filtered input shall have this (just to be sure), like, input that has been ran through a regularexpression check? Shall I do this for all values I insert/update into the database, or just IDs and important things?
The way I see it right now is that it would be a good precaution to just do type safe checks on everything (literally) that updates/inserts into the database just to be extra safe. But, I really am unsure if this is really the best idea, because if I did, would this possibly cause overprocessing of information? Can this cause too much strain on server resources? If my fears serve true, what would be a good suggestion of how I could implement this properly without having to worry about what I said?
View 1 Replies
Jan 12, 2011
For example, this is the code that I am using:
String commandString = "UPDATE Members SET UserName = @newName , AdminLevel = @userLevel WHERE UserID = @userid";
using (SqlConnection conn = new SqlConnection(ConfigurationManager.ConnectionStrings["sqlconnectionstring"].ConnectionString))
{
SqlCommand cmd = new SqlCommand(commandString, conn);
cmd.Parameters.Add("@newName", newName);
cmd.Parameters.Add("@userLevel", userLevel);
cmd.Parameters.Add("@userid", userid);
conn.Open();
cmd.ExecuteReader();
Reader.Close();
}
View 3 Replies
Mar 15, 2011
I been reading a bit about SQL injection and I want to be sure my code is lets say "safe" from it, I was planning on using RegExp validators to check the user input but another post in here suggested only using parametrized querys, well Im using them but I want to be sure my code is safe, is it?
[code]....
View 3 Replies
Jan 23, 2011
Is there any way to make asp.net objectdatasources to be type safe. Meaning I get a compile time error if parameters or datatypes change during refactoring?Does anyone know any other method? Or can recommend any other way to do it? I find manual binding tedious. What is other people doing?
View 1 Replies
May 10, 2010
I searched a lot of threads but still couldn't get my problem fixed. I have to update the "regform" table with two fields: session_ and session2. These two fields are inside the detailview edititem template which bounded to dropdown list drpsession1, drpsession2 separately. I wanted to pass the update parameters to the update sql UPDATE dbo.regform SET session_=@session_, session2=@session2 where id=@id
the @session_ is bounded to a drpsession1 and @session2 is bounded to drpsession2. I used
ControlID="ctl00$ContentPlaceHolder1$DetailsView1$drpsession1" to access the dropdown list within the detailview, but still couldn't do the updates. What's wrong with my code? Do I have to use the code behind to specify the update parameters? and How to do it? TIA.
<
"
asp:DetailsView
ID="DetailsView1"
runat="server"
AutoGenerateRows="False"
DataSourceID="SqlDataSource2"
Height="50px"
Width="544px"
DataKeyNames="id"
ondatabound="DetailsView1_DataBound">
<Fields>
<
asp:TemplateField
HeaderText="Session -Part I"
SortExpression="session_">
<
EditItemTemplate>
<asp:DropDownList
ID="drpsession1"
runat="server"
DataSourceID="SqlDataSource3"
DataTextField="session_time"
DataValueField="session_id"
SelectedValue='<%# Bind("session_") %>'
AppendDataBoundItems="True"
Width="229px">
<asp:ListItem
Text="Please select"
Value="-1"
/>
</asp:DropDownList>
<asp:SqlDataSource
ID="SqlDataSource3"
runat="server"
ConnectionString="<%$ ConnectionStrings:Connstr %>"
SelectCommand="SELECT dbo.sessions.* FROM dbo.sessions"></asp:SqlDataSource>
</EditItemTemplate>
<
asp:TemplateField
HeaderText="Session - Part II"
SortExpression="session2">
<EditItemTemplate>
<asp:DropDownList
ID="drpsession2"
runat="server"
DataSourceID="SqlDataSource4"
DataTextField="session_time"
DataValueField="session_id"
SelectedValue='<%# Bind("session2") %>'
AppendDataBoundItems="True"
Width="234px">
<asp:ListItem
Text="Please select"
Value="-1"
/>
</asp:DropDownList>
<asp:SqlDataSource
ID="SqlDataSource4"
runat="server"
ConnectionString="<%$ ConnectionStrings:Connstr %>"
SelectCommand="SELECT dbo.sessions2.* FROM dbo.sessions2">
</asp:SqlDataSource>
</EditItemTemplate>
</Fields>
</asp:DetailsView>
<
asp:SqlDataSource
ID="SqlDataSource2"
runat="server"
ConnectionString="<%$ ConnectionStrings:Connstr %>"
UpdateCommand
where regform.id=@id">
="UPDATE dbo.regform SET session_=@session_, session2=@session2 where id=@id">
<UpdateParameters>
<asp:ControlParameter
ControlID="ctl00$ContentPlaceHolder1$DetailsView1$drpsession1"
Name="session_"
PropertyName="SelectedValue"
Type="String"
/>
<asp:ControlParameter
ControlID="ctl00$ContentPlaceHolder1$DetailsView1$drpsession2"
Name="session2"
PropertyName="SelectedValue"
Type="String"
/>
<asp:ControlParameter
ControlID="DetailsView1"
Name="id"
PropertyName="SelectedValue"
/>
</UpdateParameters>
</asp:SqlDataSource>
View 2 Replies
Oct 14, 2010
I have a function that checks for a username and if it finds the username it will allow the user to update the user, there are 3 main columns: Name,Age,isFemale. I have the enduser supply the information and then I try to update the record but I get a sql error for "not a valid" column.console app:
[Code]....
I pass the spIsFemale by using an enum, here is the Person Class with function.
[Code]....
I get an error that column isFemale is not valid. The isFemale column is a bit type. If it's a 1, it's a female, if 0 male. this is more of a test area and I'm trying to update records or create new one's if the name does not exist.II am new to C # and I am just trying to learn new ideas and methods within C sharp.
View 2 Replies
Mar 24, 2010
I was looking at the options in Intellisense for the properties used with a parameter for the Object Data Source. There is one that I don't understand how it would be used. explain, or recommend an article, about the DB Type is for and how it would be used?
View 2 Replies
Feb 14, 2011
I want to create a function which would have two parameters
public **XYZ** GetOputput(string strToConvert, **ABC**)
What I want from this function, that I will send a string to this function and the datatype in which I want to convert this string [Ex: Int32,Int64, datetime etc..] and the return will be the same as the datatype I have sent as the input parameter.
I want to have something like this in my function:
[code]....
View 5 Replies
Jul 15, 2010
I have a page which submits a form in my local system but in my production system when i click my submit button it just freezes with the error in my web developer toolbar saying Error: Sys.WebForms.PageRequestManagerServerErrorException: When calling stored procedures and 'Use Procedure Bodies' is false, all parameters must have their type explicitly set.
View 1 Replies
Jun 22, 2010
I am trying to write a function that can be called to run a stored procedure. I pass the stored procedure name, followed by as many parameters as I need to run the procedure. I am able to do this by using the params keyword, so my function looks something like this;
[Code]....
How can I determine what the data type of the parameter is? Maybe I need to alter the string[] part, above?
View 5 Replies
Apr 22, 2010
[code]....
Select method returns array of strings . But How I need to appear selected node for edit delete methods get this string (userName) ?
for methods like :
[DataObjectMethod(DataObjectMethodType.Delete, true)]
static public DeleteMember(...
View 1 Replies
Mar 1, 2011
I am using a ListView and would like to implement the switch from read only mode to edit mode for a ListView item on the client side. Some of this is discussed at: Inline form editing on client side
I am trying to do this by something like:
[Code]....
switchState is a Javascript function that simply hides/shows the DIVs with the readonly and edit classnames. In LinkButtonSave_Click I get the value from TexBoxName but it always contains the bound original value and not the edited value that was entered in the texbox.
Does ASP.NET not postback the textbox value because it is in the ItemTemplate or is it something else that's causing this problem? Could I use a Repeater instead to accomplish this?
View 1 Replies
Feb 16, 2010
http://msdn.microsoft.com/en-us/library/ms178538(VS.80).aspx ?I tried and got error as below, at clicking Update button in detailView
'/CaseExamples' 응용 프로그램에 서버 오류가 있습니다. ==> Server error in application program
ObjectDataSource 'EmployeeDetailsObjectDataSource'에서 매개 변수 (LastName, FirstName, Address, City, Region, PostalCode, original_FirstName, original_LastName, original_Address, original_City, original_Region, original_PostalCode, original_EmployeeID)를 사용하는
네릭이 아닌 UpdateEmployee' 메서드를 찾을 수 없습니다.
View 3 Replies
Jan 8, 2011
Does anyone know how to update the parameters in the GenerateImage from code behind? The markup for the control is as follows:
<cc2:GeneratedImage ID="GeneratedImage2" ImageHandlerUrl="PhotoHandler.ashx" runat="server" Height="100" BorderWidth="1" BorderColor="Black" AlternateText="Profile Picture" >
<Parameters>
<cc2:ImageParameter Name="MyImageParameter" Value= "" />
</Parameters>
</cc2:GeneratedImage>
Everything I have tried fails. I would like to update Value in the ImageParameter from c# code behind.
View 1 Replies
Sep 23, 2010
I have a FormView which is bound to an SQLDataSource. When a user clicks on a save button the form, I need to write any changes made to the FormView back to the table.
I have a Stored Procedure on my MSSQL 2005 database that should be executed when the user clicks on the save button.
It appears the Update is firing, but when I trap the DbCommand object in the SQLDataSource's 'Updating' event, all of the parameters that should be passed to the Stored Procedure are coming through as NULLs. Consequently, the Stored Procedure isn't updating anything.
In the click event of the save button I'm explicitly firing the SQLDataSource's Update method:
[Code]....
The parameters in the SQLDataSource <UpdateParameters></UpdateParameters> section appear to be correct.
Can anyone give me an idea on what to investigate to figure out why it appears the Update is only picking up NULLs?
View 1 Replies
Jun 23, 2010
I've a form view with various field in edit and an object datasource where I've defined my update parameters that my update method takes. I've set some of the fields in the edit template to read only because I want them to display.
Unfortunately they are getting passed in as update parameters somehow to my objectdatasource.
So, it is generating update parameters that causes my method to not match.
How can I exclude these parameters from getting sent to update?
View 1 Replies
Oct 18, 2010
I have defined the following in my gridview markup (simplified):
<asp:GridView ID="grvReport" runat="server" DataSourceID="odsReport"
AutoGenerateColumns="False" DataKeyNames="EntryDate,EmployeeNumber">
Then I define my datasource's update parameters as such:
<UpdateParameters>
<asp:Parameter Name="ID" Type="Int32" />
<asp:Parameter Name="IsJustified" Type="Boolean" />
[code]...
View 2 Replies
Feb 24, 2011
I am using an EntityDataSource with a FormView on VB.NET application. The FormView contains an AjaxControlToolKit TabContains with multiple tabs. Due to the fact that each tab is a naming container, Bind doesn't work properly for updating values (as discovered from reading other posts on stackoverflow). I instead have to declare UpdateParameters on my EntityDataSource. Example markup is as follows:
<asp:FormView ID="fv" runat="server" DataSourceID="eds" DataKeyNames="ID">
<EditItemTemplate>
<asp:TabContainer ID="tc" runat="server">
<asp:TabPanel ID="tp" runat="server" HeaderText="Tab 1">
[Code]....
This works great, until a customer is edited and their name is set to nothing (assuming in this case, a null name is allowed). The Name UpdateParameter is set to Null but the ObjectStateEntry is not set to modified for Null properties, even if previously the Entity had a value specified. As long as the name is changed to something other than Null, everything is updated correctly.
I found a workaround by putting the following code in the Updating event of the EntityDataSource.
Dim ose As ObjectStateEntry = context.ObjectStateManager.GetObjectStateEntry(action)
For Each p As Parameter In eds.UpdateParameters
ose.SetModifiedProperty(p.Name)
Next
This makes sure that each property in the UpdateParameters has its state set to modified. It works, but it seems like a hack and I can see it causing problems down the road. Is there anything else I could do?
View 1 Replies
Sep 14, 2010
Got a problem with regards to the file upload control on database updates. The problem is in my CMS, when a user tries to update content for a page it will add null to the fields containing the image path. What I need is for the system to check if the uploader has no image and if hasn't it has to do nothing. It can't add empty strings or null values as this will remove the original image path. Although they still need to be able to do image updates if the uploader has a file(this bits not a problem).
Here is a snipet of code to demonstrate what I'm trying to achieve.
[Code]....
View 1 Replies
Nov 30, 2010
when i specify values in my update query the query works fine and the database gets updated, but when i use parameters in my query the database does not update here is the code i have written
try
{
OdbcConnection MyConnection = new OdbcConnection(ConfigurationManager.ConnectionStrings["myconn"].ConnectionString);
MyConnection.Open();
String MyString = "UPDATE orddetpabak SET jud1=@jud1,jud2=@jud2,jud3=@jud3,adv=@adv where fil_no=@fil_no AND orderdate=@orderdate";
OdbcCommand MyCmd = new OdbcCommand(MyString, MyConnection);
String j1=DropDownList4.SelectedValue;
String j2=DropDownList5.SelectedValue;
String j3=DropDownList6.SelectedValue;
String j4=TextBox4.Text;
String j5 = HiddenField1.Value;
String j6 = TextBox3.Text;
MyCmd.Parameters.AddWithValue("@jud1",j1);
MyCmd.Parameters.AddWithValue("@jud2",j2);
MyCmd.Parameters.AddWithValue("@jud3",j3);
MyCmd.Parameters.AddWithValue("@adv",j4);
MyCmd.Parameters.AddWithValue("@fil_no",j5);
MyCmd.Parameters.AddWithValue("@orderdate",j6);
Response.Write(DropDownList4.SelectedValue);
Response.Write(" " + DropDownList5.SelectedValue);
Response.Write(" " + DropDownList6.SelectedValue);
Response.Write(" " + TextBox4.Text);
Response.Write(" " + HiddenField1.Value);
Response.Write(" " + TextBox3.Text);
MyCmd.ExecuteNonQuery();
//MyConnection.Close();
}
catch(Exception epp)
{
Response.Write(epp);
}
View 1 Replies
Mar 9, 2010
I have a ListView where I am trying to implement Updating. My update parameters are not sent to update command correctly. The value sent is the original value and ignores what I type into the EditItemTemplate. Running a trace on my SQL Server verifies this. In this example, I am only trying to modify [dedamt]. What is wrong?
[Code]....
View 11 Replies
Mar 27, 2011
I have gridview which takes data from storedprocedure with some in parameters.
How to change storedprocedure in parameter values for sqldata source and update gridview on button click?
View 4 Replies
Jun 14, 2010
I have a SQL datasource, hooked to a gridview. When i submit my updated row, the update parameters fills with the original values, instead of the new values. Am i doing something wrong? I have tried to handle everything in the html, and not code any parameter settings. All my update parameters are called the same as the field in my gridview, and i use a prefix infront of the parameter names in my updatecommand, in my case : (instead of @) since i use oracle.
View 1 Replies
Mar 22, 2011
I have a asp.net gridview control on my page with several fields and a couple of command fields. However, the update command is giving me problems.
Here is what works. The update command works provided I put straight text into the textboxes that appear. I even have one field that contains a dropdown list which works fine.
Here's the problem. I have two fields that need to access their value programmatically. These fields will reflect the current datetime and the current loggedin user from active directory. I have already created public strings in the C# code.
When I run the edit command on the asp form the grid uses one "DataKeyNames" element. With this the grid can update the selectedrow. However, I haven't been able to access it programmatically in the C# code. I can access the selectedrow in the "selectedindexchanged" event but then I am not able to update my fields in the gridview itself. So, part one of my question is how to I access the "DataKeyNames" properties of a gridview control.
if I can't access the "DataKeyName" property perhaps I could set the label nested within the gridview to the "myCurrentUser()" public string. I am inserting my code to hopefully make this clearer.
View 2 Replies