I have been in the process of updating my code with security methods, and I've been learning this from [URL](or "Security Guidelines: ASP.NET 2.0"). In the middle of the page under "When Constructing SQL Queries, Use Type Safe SQL Parameters" it says "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input".
Now, what was to use code like:
"DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);........"
So, that would be how I would modify my current code base to use type safe parameters in sql updating/inserting.
Getting to my actual question, as it was said "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". First off, that this should apply to unfiltered input. Also, in their example they only did this for an ID.
So, what I'd like to know, when it comes to "unfiltered input", does this mean as long as the input is unfiltered I must use type safe parameters, or even filtered input shall have this (just to be sure), like, input that has been ran through a regularexpression check? Shall I do this for all values I insert/update into the database, or just IDs and important things?
The way I see it right now is that it would be a good precaution to just do type safe checks on everything (literally) that updates/inserts into the database just to be extra safe. But, I really am unsure if this is really the best idea, because if I did, would this possibly cause overprocessing of information? Can this cause too much strain on server resources?
I have been in the process of updating my code with security methods, and I've been learning this from [URL] (or "Security Guidelines: ASP.NET 2.0"). In the middle of the page under "When Constructing SQL Queries, Use Type Safe SQL Parameters" it says "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". Now, what they suggested was to use code like:
"DataSet userDataset = new DataSet(); SqlDataAdapter myCommand = new SqlDataAdapter(LoginStoredProcedure", connection); myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);........"
So, that would be how I would modify my current code base to use type safe parameters in sql updating/inserting.
Getting to my actual question, as it was said "Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input". First off, this suggests that this should apply to unfiltered input. Also, in their example they only did this for an ID.
So, what I'd like to know, when it comes to "unfiltered input", does this mean as long as the input is unfiltered I must use type safe parameters, or even filtered input shall have this (just to be sure), like, input that has been ran through a regularexpression check? Shall I do this for all values I insert/update into the database, or just IDs and important things?
The way I see it right now is that it would be a good precaution to just do type safe checks on everything (literally) that updates/inserts into the database just to be extra safe. But, I really am unsure if this is really the best idea, because if I did, would this possibly cause overprocessing of information? Can this cause too much strain on server resources? If my fears serve true, what would be a good suggestion of how I could implement this properly without having to worry about what I said?
I been reading a bit about SQL injection and I want to be sure my code is lets say "safe" from it, I was planning on using RegExp validators to check the user input but another post in here suggested only using parametrized querys, well Im using them but I want to be sure my code is safe, is it?
Is there any way to make asp.net objectdatasources to be type safe. Meaning I get a compile time error if parameters or datatypes change during refactoring?Does anyone know any other method? Or can recommend any other way to do it? I find manual binding tedious. What is other people doing?
I searched a lot of threads but still couldn't get my problem fixed. I have to update the "regform" table with two fields: session_ and session2. These two fields are inside the detailview edititem template which bounded to dropdown list drpsession1, drpsession2 separately. I wanted to pass the update parameters to the update sql UPDATE dbo.regform SET session_=@session_, session2=@session2 where id=@id
the @session_ is bounded to a drpsession1 and @session2 is bounded to drpsession2. I used ControlID="ctl00$ContentPlaceHolder1$DetailsView1$drpsession1" to access the dropdown list within the detailview, but still couldn't do the updates. What's wrong with my code? Do I have to use the code behind to specify the update parameters? and How to do it? TIA.
I have a function that checks for a username and if it finds the username it will allow the user to update the user, there are 3 main columns: Name,Age,isFemale. I have the enduser supply the information and then I try to update the record but I get a sql error for "not a valid" column.console app:
[Code]....
I pass the spIsFemale by using an enum, here is the Person Class with function. [Code]....
I get an error that column isFemale is not valid. The isFemale column is a bit type. If it's a 1, it's a female, if 0 male. this is more of a test area and I'm trying to update records or create new one's if the name does not exist.II am new to C # and I am just trying to learn new ideas and methods within C sharp.
I was looking at the options in Intellisense for the properties used with a parameter for the Object Data Source. There is one that I don't understand how it would be used. explain, or recommend an article, about the DB Type is for and how it would be used?
I want to create a function which would have two parameters
public **XYZ** GetOputput(string strToConvert, **ABC**)
What I want from this function, that I will send a string to this function and the datatype in which I want to convert this string [Ex: Int32,Int64, datetime etc..] and the return will be the same as the datatype I have sent as the input parameter.
I want to have something like this in my function:
I have a page which submits a form in my local system but in my production system when i click my submit button it just freezes with the error in my web developer toolbar saying Error: Sys.WebForms.PageRequestManagerServerErrorException: When calling stored procedures and 'Use Procedure Bodies' is false, all parameters must have their type explicitly set.
I am trying to write a function that can be called to run a stored procedure. I pass the stored procedure name, followed by as many parameters as I need to run the procedure. I am able to do this by using the params keyword, so my function looks something like this;
[Code]....
How can I determine what the data type of the parameter is? Maybe I need to alter the string[] part, above?
I am using a ListView and would like to implement the switch from read only mode to edit mode for a ListView item on the client side. Some of this is discussed at: Inline form editing on client side
I am trying to do this by something like:
[Code]....
switchState is a Javascript function that simply hides/shows the DIVs with the readonly and edit classnames. In LinkButtonSave_Click I get the value from TexBoxName but it always contains the bound original value and not the edited value that was entered in the texbox.
Does ASP.NET not postback the textbox value because it is in the ItemTemplate or is it something else that's causing this problem? Could I use a Repeater instead to accomplish this?
http://msdn.microsoft.com/en-us/library/ms178538(VS.80).aspx ?I tried and got error as below, at clicking Update button in detailView
'/CaseExamples' 응용 프로그램에 서버 오류가 있습니다. ==> Server error in application program ObjectDataSource 'EmployeeDetailsObjectDataSource'에서 매개 변수 (LastName, FirstName, Address, City, Region, PostalCode, original_FirstName, original_LastName, original_Address, original_City, original_Region, original_PostalCode, original_EmployeeID)를 사용하는 네릭이 아닌 UpdateEmployee' 메서드를 찾을 수 없습니다.
I have a FormView which is bound to an SQLDataSource. When a user clicks on a save button the form, I need to write any changes made to the FormView back to the table.
I have a Stored Procedure on my MSSQL 2005 database that should be executed when the user clicks on the save button.
It appears the Update is firing, but when I trap the DbCommand object in the SQLDataSource's 'Updating' event, all of the parameters that should be passed to the Stored Procedure are coming through as NULLs. Consequently, the Stored Procedure isn't updating anything.
In the click event of the save button I'm explicitly firing the SQLDataSource's Update method:
[Code]....
The parameters in the SQLDataSource <UpdateParameters></UpdateParameters> section appear to be correct.
Can anyone give me an idea on what to investigate to figure out why it appears the Update is only picking up NULLs?
I've a form view with various field in edit and an object datasource where I've defined my update parameters that my update method takes. I've set some of the fields in the edit template to read only because I want them to display.
Unfortunately they are getting passed in as update parameters somehow to my objectdatasource. So, it is generating update parameters that causes my method to not match.
How can I exclude these parameters from getting sent to update?
I am using an EntityDataSource with a FormView on VB.NET application. The FormView contains an AjaxControlToolKit TabContains with multiple tabs. Due to the fact that each tab is a naming container, Bind doesn't work properly for updating values (as discovered from reading other posts on stackoverflow). I instead have to declare UpdateParameters on my EntityDataSource. Example markup is as follows:
This works great, until a customer is edited and their name is set to nothing (assuming in this case, a null name is allowed). The Name UpdateParameter is set to Null but the ObjectStateEntry is not set to modified for Null properties, even if previously the Entity had a value specified. As long as the name is changed to something other than Null, everything is updated correctly.
I found a workaround by putting the following code in the Updating event of the EntityDataSource.
Dim ose As ObjectStateEntry = context.ObjectStateManager.GetObjectStateEntry(action) For Each p As Parameter In eds.UpdateParameters ose.SetModifiedProperty(p.Name) Next
This makes sure that each property in the UpdateParameters has its state set to modified. It works, but it seems like a hack and I can see it causing problems down the road. Is there anything else I could do?
Got a problem with regards to the file upload control on database updates. The problem is in my CMS, when a user tries to update content for a page it will add null to the fields containing the image path. What I need is for the system to check if the uploader has no image and if hasn't it has to do nothing. It can't add empty strings or null values as this will remove the original image path. Although they still need to be able to do image updates if the uploader has a file(this bits not a problem).
Here is a snipet of code to demonstrate what I'm trying to achieve.
when i specify values in my update query the query works fine and the database gets updated, but when i use parameters in my query the database does not update here is the code i have written
I have a ListView where I am trying to implement Updating. My update parameters are not sent to update command correctly. The value sent is the original value and ignores what I type into the EditItemTemplate. Running a trace on my SQL Server verifies this. In this example, I am only trying to modify [dedamt]. What is wrong?
I have a SQL datasource, hooked to a gridview. When i submit my updated row, the update parameters fills with the original values, instead of the new values. Am i doing something wrong? I have tried to handle everything in the html, and not code any parameter settings. All my update parameters are called the same as the field in my gridview, and i use a prefix infront of the parameter names in my updatecommand, in my case : (instead of @) since i use oracle.
I have a asp.net gridview control on my page with several fields and a couple of command fields. However, the update command is giving me problems.
Here is what works. The update command works provided I put straight text into the textboxes that appear. I even have one field that contains a dropdown list which works fine.
Here's the problem. I have two fields that need to access their value programmatically. These fields will reflect the current datetime and the current loggedin user from active directory. I have already created public strings in the C# code.
When I run the edit command on the asp form the grid uses one "DataKeyNames" element. With this the grid can update the selectedrow. However, I haven't been able to access it programmatically in the C# code. I can access the selectedrow in the "selectedindexchanged" event but then I am not able to update my fields in the gridview itself. So, part one of my question is how to I access the "DataKeyNames" properties of a gridview control.
if I can't access the "DataKeyName" property perhaps I could set the label nested within the gridview to the "myCurrentUser()" public string. I am inserting my code to hopefully make this clearer.
