Xamarin - Android Connect to SQL Server via WIFI
-
Hi everybody, I am a newbie to XAMARIN and working in XAMARIN (VS-2019) on a sample android app to connect to an SQL Server 2014 database to perform CRUD actions using direct ADO SqlClient connection, and did all remote connection configurations on my server such as: Enabling TCP/IP - Setting Exception rules on the Firewall (1433 for TCP and 1434 for UDP - Program Exception for SQL Server, and Program exception for SQL Browser), so all fine. Actually my application seemed to be working on the emulator on debug, but not when published on a real android device, my application just ignores my request and goes back to the Main activity. Could someone help me out please so this is my code:
public void InsertUser() { try { string dbstring = @"data source=xxx.xx.xx.xx,1433;initial catalog=MyDatabase;user id=XamarinUser;password=myPassword;Connect Timeout=10"; SqlConnection Con = new SqlConnection(dbstring); if (Con.State == ConnectionState.Open) { Con.Close(); } Con.Open(); SqlCommand cmd = new SqlCommand("INSERT INTO tblUSERS (Username, Password, Email, Active) VALUES ('" + txtUserName.Text + "','" + password1.Text + "','" + txtEmail.Text + "',0);", Con); cmd.ExecuteNonQuery(); Con.Close(); Con = null; cmd = null; this.Dismiss(); } catch (Exception) { throw new Exception("Application run into errors. Please contact us."); } } -
Hi everybody, I am a newbie to XAMARIN and working in XAMARIN (VS-2019) on a sample android app to connect to an SQL Server 2014 database to perform CRUD actions using direct ADO SqlClient connection, and did all remote connection configurations on my server such as: Enabling TCP/IP - Setting Exception rules on the Firewall (1433 for TCP and 1434 for UDP - Program Exception for SQL Server, and Program exception for SQL Browser), so all fine. Actually my application seemed to be working on the emulator on debug, but not when published on a real android device, my application just ignores my request and goes back to the Main activity. Could someone help me out please so this is my code:
public void InsertUser() { try { string dbstring = @"data source=xxx.xx.xx.xx,1433;initial catalog=MyDatabase;user id=XamarinUser;password=myPassword;Connect Timeout=10"; SqlConnection Con = new SqlConnection(dbstring); if (Con.State == ConnectionState.Open) { Con.Close(); } Con.Open(); SqlCommand cmd = new SqlCommand("INSERT INTO tblUSERS (Username, Password, Email, Active) VALUES ('" + txtUserName.Text + "','" + password1.Text + "','" + txtEmail.Text + "',0);", Con); cmd.ExecuteNonQuery(); Con.Close(); Con = null; cmd = null; this.Dismiss(); } catch (Exception) { throw new Exception("Application run into errors. Please contact us."); } }Your code is vulnerable to SQL Injection[^]. NEVER use string concatenation to build a SQL query. ALWAYS use a parameterized query. Everything you wanted to know about SQL injection (but were afraid to ask) | Troy Hunt[^] How can I explain SQL injection without technical jargon? | Information Security Stack Exchange[^] Query Parameterization Cheat Sheet | OWASP[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
Hi everybody, I am a newbie to XAMARIN and working in XAMARIN (VS-2019) on a sample android app to connect to an SQL Server 2014 database to perform CRUD actions using direct ADO SqlClient connection, and did all remote connection configurations on my server such as: Enabling TCP/IP - Setting Exception rules on the Firewall (1433 for TCP and 1434 for UDP - Program Exception for SQL Server, and Program exception for SQL Browser), so all fine. Actually my application seemed to be working on the emulator on debug, but not when published on a real android device, my application just ignores my request and goes back to the Main activity. Could someone help me out please so this is my code:
public void InsertUser() { try { string dbstring = @"data source=xxx.xx.xx.xx,1433;initial catalog=MyDatabase;user id=XamarinUser;password=myPassword;Connect Timeout=10"; SqlConnection Con = new SqlConnection(dbstring); if (Con.State == ConnectionState.Open) { Con.Close(); } Con.Open(); SqlCommand cmd = new SqlCommand("INSERT INTO tblUSERS (Username, Password, Email, Active) VALUES ('" + txtUserName.Text + "','" + password1.Text + "','" + txtEmail.Text + "',0);", Con); cmd.ExecuteNonQuery(); Con.Close(); Con = null; cmd = null; this.Dismiss(); } catch (Exception) { throw new Exception("Application run into errors. Please contact us."); } }You're also storing passwords in plain text. Don't do that. Secure Password Authentication Explained Simply[^] Salted Password Hashing - Doing it Right[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
