single quote error in SQL
-
Hi, I am getting an error in SQL UPDATE statement when user enters single quote character in textbox. I used following regex to remove the single quote before submitting to SQL UPDATE Statement. But still SQL is catching that single quote everytime even after filtering from regex. Very wondering. Can you tell me why is this happening !! string question = rtxtInterViewQuestionSTAR.Text.Replace("\'", "").Trim(); string question = Regex.Replace(question, "\'", "", RegexOptions.Singleline | RegexOptions.Multiline).Trim(); UpdateCommand.CommandText = @"UPDATE star_interview_qa SET question ='" + question + "', strategy = '" + strategy + "', situation_task = '" + situation + "', action = '" + action + "', result = '" + result + "', sequence_no = " + sequence_noTextBoxSTAR.Text + " WHERE (id=" + lblIDqASTAR.Text + ")"; thanks and regards EMRAN
-
Hi, I am getting an error in SQL UPDATE statement when user enters single quote character in textbox. I used following regex to remove the single quote before submitting to SQL UPDATE Statement. But still SQL is catching that single quote everytime even after filtering from regex. Very wondering. Can you tell me why is this happening !! string question = rtxtInterViewQuestionSTAR.Text.Replace("\'", "").Trim(); string question = Regex.Replace(question, "\'", "", RegexOptions.Singleline | RegexOptions.Multiline).Trim(); UpdateCommand.CommandText = @"UPDATE star_interview_qa SET question ='" + question + "', strategy = '" + strategy + "', situation_task = '" + situation + "', action = '" + action + "', result = '" + result + "', sequence_no = " + sequence_noTextBoxSTAR.Text + " WHERE (id=" + lblIDqASTAR.Text + ")"; thanks and regards EMRAN
emran834 wrote:
I am getting an error in SQL UPDATE statement when user enters single quote character in textbox
This is a symptom of code that is highly susceptable to a SQL Injection Attack. A way that a malicious user could attack your database through the application. You may want to read SQL Injection Attacks and Tips on How to Prevent Them[^] The above article will explain why this happens, and how to fix it and improve the security of your application's database access. ColinMackay.net "Man who stand on hill with mouth open will wait long time for roast duck to drop in." -- Confucius "If a man empties his purse into his head, no man can take it away from him, for an investment in knowledge pays the best interest." -- Joseph E. O'Donnell
-
Hi, I am getting an error in SQL UPDATE statement when user enters single quote character in textbox. I used following regex to remove the single quote before submitting to SQL UPDATE Statement. But still SQL is catching that single quote everytime even after filtering from regex. Very wondering. Can you tell me why is this happening !! string question = rtxtInterViewQuestionSTAR.Text.Replace("\'", "").Trim(); string question = Regex.Replace(question, "\'", "", RegexOptions.Singleline | RegexOptions.Multiline).Trim(); UpdateCommand.CommandText = @"UPDATE star_interview_qa SET question ='" + question + "', strategy = '" + strategy + "', situation_task = '" + situation + "', action = '" + action + "', result = '" + result + "', sequence_no = " + sequence_noTextBoxSTAR.Text + " WHERE (id=" + lblIDqASTAR.Text + ")"; thanks and regards EMRAN
I think that You'd better use parameters.:-D
-
emran834 wrote:
I am getting an error in SQL UPDATE statement when user enters single quote character in textbox
This is a symptom of code that is highly susceptable to a SQL Injection Attack. A way that a malicious user could attack your database through the application. You may want to read SQL Injection Attacks and Tips on How to Prevent Them[^] The above article will explain why this happens, and how to fix it and improve the security of your application's database access. ColinMackay.net "Man who stand on hill with mouth open will wait long time for roast duck to drop in." -- Confucius "If a man empties his purse into his head, no man can take it away from him, for an investment in knowledge pays the best interest." -- Joseph E. O'Donnell
-
I think that You'd better use parameters.:-D
-
Fixing that error might solve your immediate problem, but leaves your code susceptible to SQL injection attacks. Do have a look at Colin's article (link in the post above). Regards Senthil _____________________________ My Blog | My Articles | WinMacro
-
Fixing that error might solve your immediate problem, but leaves your code susceptible to SQL injection attacks. Do have a look at Colin's article (link in the post above). Regards Senthil _____________________________ My Blog | My Articles | WinMacro
Hi Senthil , Thanks for your reply. I am developing C# for desktop small scale user application, so I thought, user could hack his own database, as long as it is not in a Server. By the way, I read your reply about Background Worker. you said it is great to work asynchronusly ... But cant i work Synchronusly with Background worker ? thanks Emran
-
Hi Senthil , Thanks for your reply. I am developing C# for desktop small scale user application, so I thought, user could hack his own database, as long as it is not in a Server. By the way, I read your reply about Background Worker. you said it is great to work asynchronusly ... But cant i work Synchronusly with Background worker ? thanks Emran
emran834 wrote:
user could hack his own database, as long as it is not in a Server.
Well, I would say that regardless of how the database is being used it is good to get in to the habit of coding in the way the article describes because it is then one less thing to worry about. Also, the database may not necessarily be running in the same user account as the application. This could lead to an elevation of privilage attack via the application's use of the database. Many databases allow some sort of access to the underlying operating system and although this can be restricted by the database administrator it often isn't, or the application logs on with all the privileges of the database administrator which mean that it is still possible to mount an elevation of privilege attack through a SQL Injection attack. In short, it is always best to defend your systems as much as possible because neither you nor I can forsee the uses that someone will put the application. What you feel is not a security issue maybe the tinyiest little gap in security that an attacker needs to widen the hole to let them have access to more and more of the system. ColinMackay.net "Man who stand on hill with mouth open will wait long time for roast duck to drop in." -- Confucius "If a man empties his purse into his head, no man can take it away from him, for an investment in knowledge pays the best interest." -- Joseph E. O'Donnell
-
Hi Senthil , Thanks for your reply. I am developing C# for desktop small scale user application, so I thought, user could hack his own database, as long as it is not in a Server. By the way, I read your reply about Background Worker. you said it is great to work asynchronusly ... But cant i work Synchronusly with Background worker ? thanks Emran
emran834 wrote:
By the way, I read your reply about Background Worker. you said it is great to work asynchronusly ... But cant i work Synchronusly with Background worker ?
Huh? Why would you need a component to run code synchronously? Regards Senthil _____________________________ My Blog | My Articles | WinMacro
-
emran834 wrote:
By the way, I read your reply about Background Worker. you said it is great to work asynchronusly ... But cant i work Synchronusly with Background worker ?
Huh? Why would you need a component to run code synchronously? Regards Senthil _____________________________ My Blog | My Articles | WinMacro
Hi, I think i am little bit confused with the word meaning of Synchronus and Asynchronus. To my thinking, Synchronus means At the same time the thread will be running without wiating for any other thread to complete theri task. And Asynchronus means The thread will wait for other threads to complete their task. Am i right ?
-
Hi, I think i am little bit confused with the word meaning of Synchronus and Asynchronus. To my thinking, Synchronus means At the same time the thread will be running without wiating for any other thread to complete theri task. And Asynchronus means The thread will wait for other threads to complete their task. Am i right ?
Sorry. You got it backward. Synchronous means the first one talks, and the second one waits for it's turn. Then the second one talks, and the first one waits. They are synchronized. Asynchronous means they are not synchonized. Either side could be talking at any time. Roy.
-
Sorry. You got it backward. Synchronous means the first one talks, and the second one waits for it's turn. Then the second one talks, and the first one waits. They are synchronized. Asynchronous means they are not synchonized. Either side could be talking at any time. Roy.