I am using formview controls to insert/update info into my tables.
I'm worried about SQL injection.
How do you recommend I overcome this issue?
In the past I've called a custom cleanup routine like this:
Public Function CleanUpText(ByVal TextToClean As String) As String
TextToClean = TextToClean.Replace(";", ".")
TextToClean = TextToClean.Replace("*", " ")
TextToClean = TextToClean.Replace("=", " ")
TextToClean = TextToClean.Replace("'", " ")
TextToClean = TextToClean.Replace("""", " ")
TextToClean = TextToClean.Replace("1=1", " ")
TextToClean = TextToClean.Replace(">", " ")
TextToClean = TextToClean.Replace("<", " ")
TextToClean = TextToClean.Replace("<>", " ")
TextToClean = TextToClean.Replace("null", " ")
TextToClean = TextToClean.Replace("delete", "_delete")
TextToClean = TextToClean.Replace("remove", "_remove")
TextToClean = TextToClean.Replace("copy", "_copy")
TextToClean = TextToClean.Replace("table", "_table")
TextToClean = TextToClean.Replace("drop", "_drop")
TextToClean = TextToClean.Replace("select", "_select")
TextToClean = TextToClean.Replace("user", "_user")
TextToClean = TextToClean.Replace("create", "_create")
Return TextToClean
End Function
What do you think of this method? Is it cludgey???
7  1606 
"Cirene" <ci****@nowhere.comwrote in message
news:eL*************@TK2MSFTNGP02.phx.gbl...
>I am using formview controls to insert/update info into my tables.
I'm worried about SQL injection.
How do you recommend I overcome this issue?
In the past I've called a custom cleanup routine like this:
Public Function CleanUpText(ByVal TextToClean As String) As String
TextToClean = TextToClean.Replace(";", ".")
TextToClean = TextToClean.Replace("*", " ")
TextToClean = TextToClean.Replace("=", " ")
TextToClean = TextToClean.Replace("'", " ")
TextToClean = TextToClean.Replace("""", " ")
TextToClean = TextToClean.Replace("1=1", " ")
TextToClean = TextToClean.Replace(">", " ")
TextToClean = TextToClean.Replace("<", " ")
TextToClean = TextToClean.Replace("<>", " ")
TextToClean = TextToClean.Replace("null", " ")
TextToClean = TextToClean.Replace("delete", "_delete")
TextToClean = TextToClean.Replace("remove", "_remove")
TextToClean = TextToClean.Replace("copy", "_copy")
TextToClean = TextToClean.Replace("table", "_table")
TextToClean = TextToClean.Replace("drop", "_drop")
TextToClean = TextToClean.Replace("select", "_select")
TextToClean = TextToClean.Replace("user", "_user")
TextToClean = TextToClean.Replace("create", "_create")
Return TextToClean
End Function
What do you think of this method? Is it cludgey???
If you want to avoid SQL injection use parameters.
LS
Hi Cirene,
There's how to prevent it - http://msdn.microsoft.com/en-us/library/ms998271.aspx
And with agreement of Lloyd, what is your function for? :)
Regards, Alex
CI am using formview controls to insert/update info into my tables.
C>
CI'm worried about SQL injection.
C>
CHow do you recommend I overcome this issue?
C>
CIn the past I've called a custom cleanup routine like this:
CPublic Function CleanUpText(ByVal TextToClean As String) As
CString
CTextToClean = TextToClean.Replace(";", ".")
CTextToClean = TextToClean.Replace("*", " ")
CTextToClean = TextToClean.Replace("=", " ")
CTextToClean = TextToClean.Replace("'", " ")
CTextToClean = TextToClean.Replace("""", " ")
CTextToClean = TextToClean.Replace("1=1", " ")
CTextToClean = TextToClean.Replace(">", " ")
CTextToClean = TextToClean.Replace("<", " ")
CTextToClean = TextToClean.Replace("<>", " ")
CTextToClean = TextToClean.Replace("null", " ")
CTextToClean = TextToClean.Replace("delete", "_delete")
CTextToClean = TextToClean.Replace("remove", "_remove")
CTextToClean = TextToClean.Replace("copy", "_copy")
CTextToClean = TextToClean.Replace("table", "_table")
CTextToClean = TextToClean.Replace("drop", "_drop")
CTextToClean = TextToClean.Replace("select", "_select")
CTextToClean = TextToClean.Replace("user", "_user")
CTextToClean = TextToClean.Replace("create", "_create")
CReturn TextToClean
CEnd Function
CWhat do you think of this method? Is it cludgey???
C>
Hi Cirene,
You don't need to waste your time writing "CleanUpText" like methods, use
parameters instead as they take care of sql injection internally (one of many
adventages of using parameters):
using (SqlConnection connection = new SqlConnection(ConnectionString))
{
using (SqlCommand command = new SqlCommand("SELECT * FROM Table WHERE Id
= @Id", connection))
{
command.Parameters.Add("@Id", SqlDbType.Int).Value = 1;
connection.Open();
using (SqlDataReader reader = command.ExecuteReader())
{
while (reader.Read())
{
int value1 = (int) reader["Column1"];
// etc.
}
}
}
}
HTH
--
Milosz
"Cirene" wrote:
I am using formview controls to insert/update info into my tables.
I'm worried about SQL injection.
How do you recommend I overcome this issue?
In the past I've called a custom cleanup routine like this:
Public Function CleanUpText(ByVal TextToClean As String) As String
TextToClean = TextToClean.Replace(";", ".")
TextToClean = TextToClean.Replace("*", " ")
TextToClean = TextToClean.Replace("=", " ")
TextToClean = TextToClean.Replace("'", " ")
TextToClean = TextToClean.Replace("""", " ")
TextToClean = TextToClean.Replace("1=1", " ")
TextToClean = TextToClean.Replace(">", " ")
TextToClean = TextToClean.Replace("<", " ")
TextToClean = TextToClean.Replace("<>", " ")
TextToClean = TextToClean.Replace("null", " ")
TextToClean = TextToClean.Replace("delete", "_delete")
TextToClean = TextToClean.Replace("remove", "_remove")
TextToClean = TextToClean.Replace("copy", "_copy")
TextToClean = TextToClean.Replace("table", "_table")
TextToClean = TextToClean.Replace("drop", "_drop")
TextToClean = TextToClean.Replace("select", "_select")
TextToClean = TextToClean.Replace("user", "_user")
TextToClean = TextToClean.Replace("create", "_create")
Return TextToClean
End Function
What do you think of this method? Is it cludgey???
So how exactly does using parameters prevent injection - ie what does the
code in command.Parameters.Add do?
Jaez
"Cirene" <ci****@nowhere.comwrote in message
news:eL*************@TK2MSFTNGP02.phx.gbl...
>I am using formview controls to insert/update info into my tables.
I'm worried about SQL injection.
How do you recommend I overcome this issue?
In the past I've called a custom cleanup routine like this:
Public Function CleanUpText(ByVal TextToClean As String) As String
TextToClean = TextToClean.Replace(";", ".")
TextToClean = TextToClean.Replace("*", " ")
TextToClean = TextToClean.Replace("=", " ")
TextToClean = TextToClean.Replace("'", " ")
TextToClean = TextToClean.Replace("""", " ")
TextToClean = TextToClean.Replace("1=1", " ")
TextToClean = TextToClean.Replace(">", " ")
TextToClean = TextToClean.Replace("<", " ")
TextToClean = TextToClean.Replace("<>", " ")
TextToClean = TextToClean.Replace("null", " ")
TextToClean = TextToClean.Replace("delete", "_delete")
TextToClean = TextToClean.Replace("remove", "_remove")
TextToClean = TextToClean.Replace("copy", "_copy")
TextToClean = TextToClean.Replace("table", "_table")
TextToClean = TextToClean.Replace("drop", "_drop")
TextToClean = TextToClean.Replace("select", "_select")
TextToClean = TextToClean.Replace("user", "_user")
TextToClean = TextToClean.Replace("create", "_create")
Return TextToClean
End Function
What do you think of this method? Is it cludgey???
Is the "automatic" way (using the GUI) just as safe as stored proc, or
should I validate extra to be safe? (Ex: Drop gridview on form, create SQL
Data Source wtih the wizard, etc...)
"Milosz Skalecki [MCAD]" <mi*****@DONTLIKESPAMwp.plwrote in message
news:83**********************************@microsof t.com...
Hi Cirene,
You don't need to waste your time writing "CleanUpText" like methods, use
parameters instead as they take care of sql injection internally (one of
many
adventages of using parameters):
using (SqlConnection connection = new SqlConnection(ConnectionString))
{
using (SqlCommand command = new SqlCommand("SELECT * FROM Table WHERE
Id
= @Id", connection))
{
command.Parameters.Add("@Id", SqlDbType.Int).Value = 1;
connection.Open();
using (SqlDataReader reader = command.ExecuteReader())
{
while (reader.Read())
{
int value1 = (int) reader["Column1"];
// etc.
}
}
}
}
HTH
--
Milosz
"Cirene" wrote:
>I am using formview controls to insert/update info into my tables.
I'm worried about SQL injection.
How do you recommend I overcome this issue?
In the past I've called a custom cleanup routine like this:
Public Function CleanUpText(ByVal TextToClean As String) As String
TextToClean = TextToClean.Replace(";", ".")
TextToClean = TextToClean.Replace("*", " ")
TextToClean = TextToClean.Replace("=", " ")
TextToClean = TextToClean.Replace("'", " ")
TextToClean = TextToClean.Replace("""", " ")
TextToClean = TextToClean.Replace("1=1", " ")
TextToClean = TextToClean.Replace(">", " ")
TextToClean = TextToClean.Replace("<", " ")
TextToClean = TextToClean.Replace("<>", " ")
TextToClean = TextToClean.Replace("null", " ")
TextToClean = TextToClean.Replace("delete", "_delete")
TextToClean = TextToClean.Replace("remove", "_remove")
TextToClean = TextToClean.Replace("copy", "_copy")
TextToClean = TextToClean.Replace("table", "_table")
TextToClean = TextToClean.Replace("drop", "_drop")
TextToClean = TextToClean.Replace("select", "_select")
TextToClean = TextToClean.Replace("user", "_user")
TextToClean = TextToClean.Replace("create", "_create")
Return TextToClean
End Function
What do you think of this method? Is it cludgey???
Parameters protect against sql injection because the parameter value is
passed to the sql server. The server uses the parameter value directly when
processing the query, and does not just substitute the parameter into the
sql statement text. Data values that would enable sql injection will instead
either cause query errors or where clause matching failure.
"jaems" <ja***@ntlworld.comwrote in message
news:ip*****************@newsfe20.ams2...
>
So how exactly does using parameters prevent injection - ie what does the
code in command.Parameters.Add do?
Jaez
"Cirene" <ci****@nowhere.comwrote in message
news:eL*************@TK2MSFTNGP02.phx.gbl...
>>I am using formview controls to insert/update info into my tables.
I'm worried about SQL injection.
How do you recommend I overcome this issue?
In the past I've called a custom cleanup routine like this:
Public Function CleanUpText(ByVal TextToClean As String) As String
TextToClean = TextToClean.Replace(";", ".")
TextToClean = TextToClean.Replace("*", " ")
TextToClean = TextToClean.Replace("=", " ")
TextToClean = TextToClean.Replace("'", " ")
TextToClean = TextToClean.Replace("""", " ")
TextToClean = TextToClean.Replace("1=1", " ")
TextToClean = TextToClean.Replace(">", " ")
TextToClean = TextToClean.Replace("<", " ")
TextToClean = TextToClean.Replace("<>", " ")
TextToClean = TextToClean.Replace("null", " ")
TextToClean = TextToClean.Replace("delete", "_delete")
TextToClean = TextToClean.Replace("remove", "_remove")
TextToClean = TextToClean.Replace("copy", "_copy")
TextToClean = TextToClean.Replace("table", "_table")
TextToClean = TextToClean.Replace("drop", "_drop")
TextToClean = TextToClean.Replace("select", "_select")
TextToClean = TextToClean.Replace("user", "_user")
TextToClean = TextToClean.Replace("create", "_create")
Return TextToClean
End Function
What do you think of this method? Is it cludgey???
Hi there,
Usually you use gridview, and formview in conjunction with SqlDataSource
which employs Parameters internally.
Regards
--
Milosz
"Cirene" wrote:
Is the "automatic" way (using the GUI) just as safe as stored proc, or
should I validate extra to be safe? (Ex: Drop gridview on form, create SQL
Data Source wtih the wizard, etc...)
"Milosz Skalecki [MCAD]" <mi*****@DONTLIKESPAMwp.plwrote in message
news:83**********************************@microsof t.com...
Hi Cirene,
You don't need to waste your time writing "CleanUpText" like methods, use
parameters instead as they take care of sql injection internally (one of
many
adventages of using parameters):
using (SqlConnection connection = new SqlConnection(ConnectionString))
{
using (SqlCommand command = new SqlCommand("SELECT * FROM Table WHERE
Id
= @Id", connection))
{
command.Parameters.Add("@Id", SqlDbType.Int).Value = 1;
connection.Open();
using (SqlDataReader reader = command.ExecuteReader())
{
while (reader.Read())
{
int value1 = (int) reader["Column1"];
// etc.
}
}
}
}
HTH
--
Milosz
"Cirene" wrote:
I am using formview controls to insert/update info into my tables.
I'm worried about SQL injection.
How do you recommend I overcome this issue?
In the past I've called a custom cleanup routine like this:
Public Function CleanUpText(ByVal TextToClean As String) As String
TextToClean = TextToClean.Replace(";", ".")
TextToClean = TextToClean.Replace("*", " ")
TextToClean = TextToClean.Replace("=", " ")
TextToClean = TextToClean.Replace("'", " ")
TextToClean = TextToClean.Replace("""", " ")
TextToClean = TextToClean.Replace("1=1", " ")
TextToClean = TextToClean.Replace(">", " ")
TextToClean = TextToClean.Replace("<", " ")
TextToClean = TextToClean.Replace("<>", " ")
TextToClean = TextToClean.Replace("null", " ")
TextToClean = TextToClean.Replace("delete", "_delete")
TextToClean = TextToClean.Replace("remove", "_remove")
TextToClean = TextToClean.Replace("copy", "_copy")
TextToClean = TextToClean.Replace("table", "_table")
TextToClean = TextToClean.Replace("drop", "_drop")
TextToClean = TextToClean.Replace("select", "_select")
TextToClean = TextToClean.Replace("user", "_user")
TextToClean = TextToClean.Replace("create", "_create")
Return TextToClean
End Function
What do you think of this method? Is it cludgey???
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: wikkiwikkiwaa |
last post by:
hello,
i am trying to access controls inside my formview1 nested inside
loginview1. you cannot access the formview1 unless you are properly
logged in.
for loginview1, that seems to be fairly...
|
by: Paul |
last post by:
Hello:
I have an aspx page with a Formview and a Gridview on it.
I have a dropdownlist control which I want to bind to both the Formview and
the Gridview.
I put the dropdownlist in the...
|
by: Nathan Sokalski |
last post by:
I am trying to create a FormView controls in which I access and modify the
the controls in the PagerTemplate programmatically. However, I continue to
recieve the following error:
Object...
|
by: =?Utf-8?B?TGFkaXNsYXYgTXJua2E=?= |
last post by:
Hello,
I read some msdn and other articles about how does databinding among
DataSource controls and FormView / GridView controls works but I still don't
fully understand to this blackbox. I have...
|
by: Trev |
last post by:
Hi,
I'm hoping that someone in this group can shed some light on an issue
I'm having with a Formview.
I have a Web User Control (.ascx) with a Formview. The Formview
contains 2 Multiviews,...
|
by: Mark Olbert |
last post by:
It appears that FormView controls require the >>exact<< same layout of controls and control types in the various templates in order
to function properly. Failure to do so results in a "failure to...
|
by: jobs |
last post by:
This code was working, but then stopped working. I don't think I
completely understand it.
I pass it a formview name and it would loop through checking the
value of textboxes.
problem is...
|
by: J055 |
last post by:
Hi
I can't figure out what the difference is here. Sometimes I have a simple
FormView control in a page and I can use the FormView.FindControl method to
get a Label or TextBox with in it during...
|
by: Aamir Ghanchi |
last post by:
Hi,
Why does the Update method of an ObjectDataSource class requires
parameters for each of the Bind input controls of a FormView?
I have a class (say MyObjectDataSource) that is being used as...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
| |
