Database Code Generator
-
I haven't read the article, but what I did, I passed it to another string. For example, stringName = textBox.Txt; I don't see the difference
Yeah... that does nothing. You need to sanitize user input and that article will explain how. The problem is if something like this happens... The user enters "'); DELETE FROM TableName WHERE 0 = 0;" into your text box then the sql statement becomes:
INSERT INTO TableName(FieldName) VALUES(''); DELETE FROM TableName WHERE 0 = 0;');That means it inserts an empty string into the column and then deletes all rows from the table. -
I haven't read the article, but what I did, I passed it to another string. For example, stringName = textBox.Txt; I don't see the difference
mfcuser wrote:
stringName = textBox.Txt; I don't see the difference
That is still dangerous. Read Colin's article that Pete referred to :)
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
mfcuser wrote:
stringName = textBox.Txt; I don't see the difference
That is still dangerous. Read Colin's article that Pete referred to :)
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
There is nothing wrong with getting user input directly if you sanitise it (which you will still need to do with databinding) and use parameterised queries. See the article, it explains how to go from injecting values directly into a SQL Statement to using parameterised queries.
Upcoming Scottish Developers events: * We are starting a series of events in Glasgow in 2007. Are you interested in a particular subject, or as a speaker? * Developer Day Scotland: are you interested in speaking or attending? My: Website | Blog | Photos
-
mfcuser wrote:
I will start to use databinding rather than getting user input directly
It's not a matter of how you get the user input, but a matter of what the user inputs into the text box that is the security concern. Like Colin said in his post below, you still need to sanitize the input.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
mfcuser wrote:
I will start to use databinding rather than getting user input directly
It's not a matter of how you get the user input, but a matter of what the user inputs into the text box that is the security concern. Like Colin said in his post below, you still need to sanitize the input.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
I still have a problem with sanitization. Assume that the user is going to insert or update a field from a table. The user types something on the textbox. The word or phrase the user types can be anything like "word, letter, number, especial charater or a mixture". There is no way I can determine that in advance. So how can I sanitize that?
-
I still have a problem with sanitization. Assume that the user is going to insert or update a field from a table. The user types something on the textbox. The word or phrase the user types can be anything like "word, letter, number, especial charater or a mixture". There is no way I can determine that in advance. So how can I sanitize that?
Use parameterized queries as stated in Colin's article and you don't have to worry about doing it, the parameterized query will do this behind the scenes for you. It may be extra coding to do the parameterized queries but it is worth it from a security stand point.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
Use parameterized queries as stated in Colin's article and you don't have to worry about doing it, the parameterized query will do this behind the scenes for you. It may be extra coding to do the parameterized queries but it is worth it from a security stand point.
Some people have a memory and an attention span, you should try them out one day. - Jeremy Falcon
-
Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
mfcuser wrote:
Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
Yes, you will. How else is it going to get into the database? All the databinding and funky wizards that Visual Studio provides hide a lot of the actual functionality. You shuould take a look at the code the wizards produce. It isn't the nicest thing to read (generated code often isn't - neither is it to be considered a good way to code either) but it will teach you a fair bit about what is going on under the hood.
Upcoming Scottish Developers events: * We are starting a series of events in Glasgow in 2007. Are you interested in a particular subject, or as a speaker? * Developer Day Scotland: are you interested in speaking or attending? My: Website | Blog | Photos
-
mfcuser wrote:
Assume that I use DataBindings with a textbox to update a table. I assume that I don't need to use the INSERT INTO sql statement.
Yes, you will. How else is it going to get into the database? All the databinding and funky wizards that Visual Studio provides hide a lot of the actual functionality. You shuould take a look at the code the wizards produce. It isn't the nicest thing to read (generated code often isn't - neither is it to be considered a good way to code either) but it will teach you a fair bit about what is going on under the hood.
Upcoming Scottish Developers events: * We are starting a series of events in Glasgow in 2007. Are you interested in a particular subject, or as a speaker? * Developer Day Scotland: are you interested in speaking or attending? My: Website | Blog | Photos
Colin Angus Mackay wrote:
look at the code the wizards produce. It isn't the nicest thing to read
Yep, that sure is the truth :)
If you try to write that in English, I might be able to understand more than a fraction of it. - Guffa