What's the difference between these two methods?
1 - Parameterrized SQL queries:
Dim CommandObject As New Data.SqlClient. SqlCommand
With CommandObject
.Connection = myConnection
.Parameters.Cle ar()
.Parameters.Add ("@TextField ", SqlDbType.NVarC har,
50).Value = TextField
.Parameters.Add ("@NumField" , SqlDbType.Int, 50).Value =
NumField
.Parameters.Add ("@BitField" , SqlDbType.Int, 50).Value =
BitField
.CommandText = "INSERT [Table1]([TextField], [NumField],
[BitField]) VALUES(@TextFie ld, @NumField, @BitField);"
.ExecuteNonQuer y()
End With
2 - Dataset method
myDataRow = myDataSet.Table s(DataSetName). NewRow
myDataRow("Text Field") = TextField
myDataRow("NumF ield") = NumField
myDataRow("BitF ield") = BitField
myDataSet.Table s(DataSetName). Rows.Add(myData Row)
mySqlDataAdapte r.Update(myData Set, DataSetName)
Apparently, if I use the data set method, terrorists will fly planes
into buildings and life will end in a spectacular universal explosion.
(or something horrible, I'm not sure exactly, something to do with
people inserting SQL commands into our data streams?) So I've been
recommended method 1 as 'you MUST do it this way!!!1one'.
So my question is then, what's wrong with the dataset method? It it
exposes such a massive security risk, why is it there in the first
place?
I'm just trying to find the best method for doing database management
in ADO.Net and I'm getting conflicting messages. Any advice
appreciated, thanks! 2 1519
Fred,
SQL injection attacks can occur when an sql command is built up as a string
by concatenating sql keywords with data from a textbox, for example.
Using parameters and assigning data to the parameters prevents such attacks.
You are not showing your dataadapter's Insert, Update and Delete commands,
which are being called when the dataadapter's Update method is called.
If you examine the adapter's Insert, Update and Delete commands you should
see that they are using parameters, just like your first example.
So either of the 2 techniques you show should be capable of preventing sql
injection attacks.
Kerry Moorman
"Fred Flintstone" wrote: What's the difference between these two methods?
1 - Parameterrized SQL queries:
Dim CommandObject As New Data.SqlClient. SqlCommand With CommandObject .Connection = myConnection .Parameters.Cle ar() .Parameters.Add ("@TextField ", SqlDbType.NVarC har, 50).Value = TextField .Parameters.Add ("@NumField" , SqlDbType.Int, 50).Value = NumField .Parameters.Add ("@BitField" , SqlDbType.Int, 50).Value = BitField .CommandText = "INSERT [Table1]([TextField], [NumField], [BitField]) VALUES(@TextFie ld, @NumField, @BitField);" .ExecuteNonQuer y() End With
2 - Dataset method
myDataRow = myDataSet.Table s(DataSetName). NewRow myDataRow("Text Field") = TextField myDataRow("NumF ield") = NumField myDataRow("BitF ield") = BitField myDataSet.Table s(DataSetName). Rows.Add(myData Row) mySqlDataAdapte r.Update(myData Set, DataSetName)
Apparently, if I use the data set method, terrorists will fly planes into buildings and life will end in a spectacular universal explosion. (or something horrible, I'm not sure exactly, something to do with people inserting SQL commands into our data streams?) So I've been recommended method 1 as 'you MUST do it this way!!!1one'.
So my question is then, what's wrong with the dataset method? It it exposes such a massive security risk, why is it there in the first place?
I'm just trying to find the best method for doing database management in ADO.Net and I'm getting conflicting messages. Any advice appreciated, thanks!
"So either of the 2 techniques you show should be capable of
preventing sql injection attacks."
Now I'm really confused. The gotdotnet message boards are telling me
the opposite; that I MUST use parameters because a dataset IS
vulnerable to injection attacks.
*sigh* I'm using a data set now, I'm just going to stick with it.
Frankly, I don't see how "select delete * from sales from sales" is
going to wipe my tables.
Thanks for the response! :)
On Tue, 28 Mar 2006 11:00:04 -0800, Kerry Moorman
<Ke**********@d iscussions.micr osoft.com> wrote: Fred,
SQL injection attacks can occur when an sql command is built up as a string by concatenating sql keywords with data from a textbox, for example.
Using parameters and assigning data to the parameters prevents such attacks.
You are not showing your dataadapter's Insert, Update and Delete commands, which are being called when the dataadapter's Update method is called.
If you examine the adapter's Insert, Update and Delete commands you should see that they are using parameters, just like your first example.
So either of the 2 techniques you show should be capable of preventing sql injection attacks.
Kerry Moorman
"Fred Flintstone" wrote:
What's the difference between these two methods?
1 - Parameterrized SQL queries:
Dim CommandObject As New Data.SqlClient. SqlCommand With CommandObject .Connection = myConnection .Parameters.Cle ar() .Parameters.Add ("@TextField ", SqlDbType.NVarC har, 50).Value = TextField .Parameters.Add ("@NumField" , SqlDbType.Int, 50).Value = NumField .Parameters.Add ("@BitField" , SqlDbType.Int, 50).Value = BitField .CommandText = "INSERT [Table1]([TextField], [NumField], [BitField]) VALUES(@TextFie ld, @NumField, @BitField);" .ExecuteNonQuer y() End With
2 - Dataset method
myDataRow = myDataSet.Table s(DataSetName). NewRow myDataRow("Text Field") = TextField myDataRow("NumF ield") = NumField myDataRow("BitF ield") = BitField myDataSet.Table s(DataSetName). Rows.Add(myData Row) mySqlDataAdapte r.Update(myData Set, DataSetName)
Apparently, if I use the data set method, terrorists will fly planes into buildings and life will end in a spectacular universal explosion. (or something horrible, I'm not sure exactly, something to do with people inserting SQL commands into our data streams?) So I've been recommended method 1 as 'you MUST do it this way!!!1one'.
So my question is then, what's wrong with the dataset method? It it exposes such a massive security risk, why is it there in the first place?
I'm just trying to find the best method for doing database management in ADO.Net and I'm getting conflicting messages. Any advice appreciated, thanks! This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics |
by: Hazzard |
last post by:
I just realized that the code I inherited is using all asp.net server
controls (ie. webform controls) and when I try to update textboxes on the
client side, I lose the new value of the textbox when submitting the form to
update the database. The server doesn't have the client side value any more.
It seems to me that as I begin to write the client side javacript code for
form validation and client side editing capabilities in order to save...
|
by: Pat Carden |
last post by:
Hi,
We need to allow webusers to upload a file on our website (on Server3, all
servers run Server 2003, remotely hosted) and eventually save it on our SBS
Server (Server2) which is not exposed through our firewall. We have another
server (Server1) within the SBS domain that is exposed through port 80 of
the firewall on which we host some web services and images.
What is the best architecture for getting the file from the remotely...
|
by: Mr Newbie |
last post by:
I was thinking about developing a workflow application yesterday and was
musing over the different approaches than one could take in restricting
specific actions on a ticket( Form ) at any said stage.
One approach I have used on other systems is to prevent the action buttons
appearing. For example, if one did not have the Role of Administrator, one
would be prevented from deleting a ticket not created by oneself.
However, it did occur...
|
by: Gert |
last post by:
Hi,
I have a form (server side) because of the filling of variables through the
application. But now I need to post it to an url on submit.
My .HTML form looks like this, but how to translate it to asp.net vb code?
!--<FORM ACTION="/test/test.php" METHOD=POST>-->
<form action="https://multipay.net/transaction/mpmain.php" method="post">
....
|
by: Nate |
last post by:
We are attempting to make a request to a web service (we will refer to it as
XXXServices) hosted on a Web Logic server from a C# SOAP client. The server
responds with a 401 Unauthorized error (that appears in plain text), and
causes the client to crash. This C# code has been deployed both as an
ASP.NET application and a WinForms app, each of which produced the same
result. Further, moving the clients from a Windows XP machine to Windows...
| |
by: Jobs |
last post by:
Download the JAVA , .NET and SQL Server interview with answers
Download the JAVA , .NET and SQL Server interview sheet and rate
yourself. This will help you judge yourself are you really worth of
attending interviews. If you own a company best way to judge if the
candidate is worth of it.
http://www.questpond.com/InterviewRatingSheet.zip
|
by: Dean Craig |
last post by:
I'm getting ready to build my first ASP.NET/SQL Server website that will be
hosted on some web host out there (long distance, different network). The
work I've done in the past (pre-.NET) was all done on in-house servers.
Since this website/web-app will be hosted elsewhere, I wanted to ask some
questions to make sure that I'm doing things correctly.
We have a SQL 2000 db hosted on a server here. I need to build a website
(hosted...
|
by: David |
last post by:
i think i just realized i'm an idiot. again.
(not syntactically correct code... just pieces to illustrate)
class StateObject
{
members like socket, receiveBuffer, receiveBufferSize, StringBuilder
etc..
}
|
by: chromis |
last post by:
Hi,
I am trying to setup a web development server on my company's local network, and I am not quite sure what the best method is. I am basically duplicating the software setup on the live hosting server (iis 6.0, mysql4, php5, coldfusion 7), and my plan at the moment is to allow FTP access on the local network to the websites. Which would then be accessed by dreamweaver on the various client machines. To access the websites a user would key...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look !
Part I. Meaning of...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
| |
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own....
Now, this would greatly impact the work of software developers. The idea...
|
by: conductexam |
last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one.
At the time of converting from word file to html my equations which are in the word document file was convert into image.
Globals.ThisAddIn.Application.ActiveDocument.Select();...
|
by: TSSRALBI |
last post by:
Hello
I'm a network technician in training and I need your help.
I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs.
The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols.
I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
|
by: adsilva |
last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
|
by: 6302768590 |
last post by:
Hai team
i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
| |
by: bsmnconsultancy |
last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...
| |