473,573 Members | 4,115 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

SQL Server and ADO.Net best method

What's the difference between these two methods?

1 - Parameterrized SQL queries:

Dim CommandObject As New Data.SqlClient. SqlCommand
With CommandObject
.Connection = myConnection
.Parameters.Cle ar()
.Parameters.Add ("@TextField ", SqlDbType.NVarC har,
50).Value = TextField
.Parameters.Add ("@NumField" , SqlDbType.Int, 50).Value =
NumField
.Parameters.Add ("@BitField" , SqlDbType.Int, 50).Value =
BitField
.CommandText = "INSERT [Table1]([TextField], [NumField],
[BitField]) VALUES(@TextFie ld, @NumField, @BitField);"
.ExecuteNonQuer y()
End With

2 - Dataset method

myDataRow = myDataSet.Table s(DataSetName). NewRow
myDataRow("Text Field") = TextField
myDataRow("NumF ield") = NumField
myDataRow("BitF ield") = BitField
myDataSet.Table s(DataSetName). Rows.Add(myData Row)
mySqlDataAdapte r.Update(myData Set, DataSetName)
Apparently, if I use the data set method, terrorists will fly planes
into buildings and life will end in a spectacular universal explosion.
(or something horrible, I'm not sure exactly, something to do with
people inserting SQL commands into our data streams?) So I've been
recommended method 1 as 'you MUST do it this way!!!1one'.

So my question is then, what's wrong with the dataset method? It it
exposes such a massive security risk, why is it there in the first
place?

I'm just trying to find the best method for doing database management
in ADO.Net and I'm getting conflicting messages. Any advice
appreciated, thanks!
Mar 28 '06 #1
2 1501
Fred,

SQL injection attacks can occur when an sql command is built up as a string
by concatenating sql keywords with data from a textbox, for example.

Using parameters and assigning data to the parameters prevents such attacks.

You are not showing your dataadapter's Insert, Update and Delete commands,
which are being called when the dataadapter's Update method is called.

If you examine the adapter's Insert, Update and Delete commands you should
see that they are using parameters, just like your first example.

So either of the 2 techniques you show should be capable of preventing sql
injection attacks.

Kerry Moorman
"Fred Flintstone" wrote:
What's the difference between these two methods?

1 - Parameterrized SQL queries:

Dim CommandObject As New Data.SqlClient. SqlCommand
With CommandObject
.Connection = myConnection
.Parameters.Cle ar()
.Parameters.Add ("@TextField ", SqlDbType.NVarC har,
50).Value = TextField
.Parameters.Add ("@NumField" , SqlDbType.Int, 50).Value =
NumField
.Parameters.Add ("@BitField" , SqlDbType.Int, 50).Value =
BitField
.CommandText = "INSERT [Table1]([TextField], [NumField],
[BitField]) VALUES(@TextFie ld, @NumField, @BitField);"
.ExecuteNonQuer y()
End With

2 - Dataset method

myDataRow = myDataSet.Table s(DataSetName). NewRow
myDataRow("Text Field") = TextField
myDataRow("NumF ield") = NumField
myDataRow("BitF ield") = BitField
myDataSet.Table s(DataSetName). Rows.Add(myData Row)
mySqlDataAdapte r.Update(myData Set, DataSetName)
Apparently, if I use the data set method, terrorists will fly planes
into buildings and life will end in a spectacular universal explosion.
(or something horrible, I'm not sure exactly, something to do with
people inserting SQL commands into our data streams?) So I've been
recommended method 1 as 'you MUST do it this way!!!1one'.

So my question is then, what's wrong with the dataset method? It it
exposes such a massive security risk, why is it there in the first
place?

I'm just trying to find the best method for doing database management
in ADO.Net and I'm getting conflicting messages. Any advice
appreciated, thanks!

Mar 28 '06 #2
"So either of the 2 techniques you show should be capable of
preventing sql injection attacks."

Now I'm really confused. The gotdotnet message boards are telling me
the opposite; that I MUST use parameters because a dataset IS
vulnerable to injection attacks.

*sigh* I'm using a data set now, I'm just going to stick with it.
Frankly, I don't see how "select delete * from sales from sales" is
going to wipe my tables.

Thanks for the response! :)

On Tue, 28 Mar 2006 11:00:04 -0800, Kerry Moorman
<Ke**********@d iscussions.micr osoft.com> wrote:
Fred,

SQL injection attacks can occur when an sql command is built up as a string
by concatenating sql keywords with data from a textbox, for example.

Using parameters and assigning data to the parameters prevents such attacks.

You are not showing your dataadapter's Insert, Update and Delete commands,
which are being called when the dataadapter's Update method is called.

If you examine the adapter's Insert, Update and Delete commands you should
see that they are using parameters, just like your first example.

So either of the 2 techniques you show should be capable of preventing sql
injection attacks.

Kerry Moorman
"Fred Flintstone" wrote:
What's the difference between these two methods?

1 - Parameterrized SQL queries:

Dim CommandObject As New Data.SqlClient. SqlCommand
With CommandObject
.Connection = myConnection
.Parameters.Cle ar()
.Parameters.Add ("@TextField ", SqlDbType.NVarC har,
50).Value = TextField
.Parameters.Add ("@NumField" , SqlDbType.Int, 50).Value =
NumField
.Parameters.Add ("@BitField" , SqlDbType.Int, 50).Value =
BitField
.CommandText = "INSERT [Table1]([TextField], [NumField],
[BitField]) VALUES(@TextFie ld, @NumField, @BitField);"
.ExecuteNonQuer y()
End With

2 - Dataset method

myDataRow = myDataSet.Table s(DataSetName). NewRow
myDataRow("Text Field") = TextField
myDataRow("NumF ield") = NumField
myDataRow("BitF ield") = BitField
myDataSet.Table s(DataSetName). Rows.Add(myData Row)
mySqlDataAdapte r.Update(myData Set, DataSetName)
Apparently, if I use the data set method, terrorists will fly planes
into buildings and life will end in a spectacular universal explosion.
(or something horrible, I'm not sure exactly, something to do with
people inserting SQL commands into our data streams?) So I've been
recommended method 1 as 'you MUST do it this way!!!1one'.

So my question is then, what's wrong with the dataset method? It it
exposes such a massive security risk, why is it there in the first
place?

I'm just trying to find the best method for doing database management
in ADO.Net and I'm getting conflicting messages. Any advice
appreciated, thanks!


Mar 28 '06 #3

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
8379
by: Hazzard | last post by:
I just realized that the code I inherited is using all asp.net server controls (ie. webform controls) and when I try to update textboxes on the client side, I lose the new value of the textbox when submitting the form to update the database. The server doesn't have the client side value any more. It seems to me that as I begin to write the...
6
3992
by: Pat Carden | last post by:
Hi, We need to allow webusers to upload a file on our website (on Server3, all servers run Server 2003, remotely hosted) and eventually save it on our SBS Server (Server2) which is not exposed through our firewall. We have another server (Server1) within the SBS domain that is exposed through port 80 of the firewall on which we host some...
22
2160
by: Mr Newbie | last post by:
I was thinking about developing a workflow application yesterday and was musing over the different approaches than one could take in restricting specific actions on a ticket( Form ) at any said stage. One approach I have used on other systems is to prevent the action buttons appearing. For example, if one did not have the Role of...
8
5072
by: Gert | last post by:
Hi, I have a form (server side) because of the filling of variables through the application. But now I need to post it to an url on submit. My .HTML form looks like this, but how to translate it to asp.net vb code? !--<FORM ACTION="/test/test.php" METHOD=POST>--> <form action="https://multipay.net/transaction/mpmain.php" method="post"> ...
5
12489
by: Nate | last post by:
We are attempting to make a request to a web service (we will refer to it as XXXServices) hosted on a Web Logic server from a C# SOAP client. The server responds with a 401 Unauthorized error (that appears in plain text), and causes the client to crash. This C# code has been deployed both as an ASP.NET application and a WinForms app, each of...
2
6940
by: Jobs | last post by:
Download the JAVA , .NET and SQL Server interview with answers Download the JAVA , .NET and SQL Server interview sheet and rate yourself. This will help you judge yourself are you really worth of attending interviews. If you own a company best way to judge if the candidate is worth of it. http://www.questpond.com/InterviewRatingSheet.zip
4
1729
by: Dean Craig | last post by:
I'm getting ready to build my first ASP.NET/SQL Server website that will be hosted on some web host out there (long distance, different network). The work I've done in the past (pre-.NET) was all done on in-house servers. Since this website/web-app will be hosted elsewhere, I wanted to ask some questions to make sure that I'm doing things...
7
1945
by: David | last post by:
i think i just realized i'm an idiot. again. (not syntactically correct code... just pieces to illustrate) class StateObject { members like socket, receiveBuffer, receiveBufferSize, StringBuilder etc.. }
0
1957
by: chromis | last post by:
Hi, I am trying to setup a web development server on my company's local network, and I am not quite sure what the best method is. I am basically duplicating the software setup on the live hosting server (iis 6.0, mysql4, php5, coldfusion 7), and my plan at the moment is to allow FTP access on the local network to the websites. Which would then...
0
7789
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
0
8037
Oralloy
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
0
8215
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
1
7800
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
0
8086
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the...
1
5605
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
0
5296
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert...
0
3743
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
1
1325
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.