What's the difference between these two methods?
1 - Parameterrized SQL queries:
Dim CommandObject As New Data.SqlClient.SqlCommand
With CommandObject
.Connection = myConnection
.Parameters.Clear()
.Parameters.Add("@TextField", SqlDbType.NVarChar,
50).Value = TextField
.Parameters.Add("@NumField", SqlDbType.Int, 50).Value =
NumField
.Parameters.Add("@BitField", SqlDbType.Int, 50).Value =
BitField
.CommandText = "INSERT [Table1]([TextField], [NumField],
[BitField]) VALUES(@TextField, @NumField, @BitField);"
.ExecuteNonQuery()
End With
2 - Dataset method
myDataRow = myDataSet.Tables(DataSetName).NewRow
myDataRow("TextField") = TextField
myDataRow("NumField") = NumField
myDataRow("BitField") = BitField
myDataSet.Tables(DataSetName).Rows.Add(myDataRow)
mySqlDataAdapter.Update(myDataSet, DataSetName)
Apparently, if I use the data set method, terrorists will fly planes
into buildings and life will end in a spectacular universal explosion.
(or something horrible, I'm not sure exactly, something to do with
people inserting SQL commands into our data streams?) So I've been
recommended method 1 as 'you MUST do it this way!!!1one'.
So my question is then, what's wrong with the dataset method? It it
exposes such a massive security risk, why is it there in the first
place?
I'm just trying to find the best method for doing database management
in ADO.Net and I'm getting conflicting messages. Any advice
appreciated, thanks! 2 1483
Fred,
SQL injection attacks can occur when an sql command is built up as a string
by concatenating sql keywords with data from a textbox, for example.
Using parameters and assigning data to the parameters prevents such attacks.
You are not showing your dataadapter's Insert, Update and Delete commands,
which are being called when the dataadapter's Update method is called.
If you examine the adapter's Insert, Update and Delete commands you should
see that they are using parameters, just like your first example.
So either of the 2 techniques you show should be capable of preventing sql
injection attacks.
Kerry Moorman
"Fred Flintstone" wrote: What's the difference between these two methods?
1 - Parameterrized SQL queries:
Dim CommandObject As New Data.SqlClient.SqlCommand With CommandObject .Connection = myConnection .Parameters.Clear() .Parameters.Add("@TextField", SqlDbType.NVarChar, 50).Value = TextField .Parameters.Add("@NumField", SqlDbType.Int, 50).Value = NumField .Parameters.Add("@BitField", SqlDbType.Int, 50).Value = BitField .CommandText = "INSERT [Table1]([TextField], [NumField], [BitField]) VALUES(@TextField, @NumField, @BitField);" .ExecuteNonQuery() End With
2 - Dataset method
myDataRow = myDataSet.Tables(DataSetName).NewRow myDataRow("TextField") = TextField myDataRow("NumField") = NumField myDataRow("BitField") = BitField myDataSet.Tables(DataSetName).Rows.Add(myDataRow) mySqlDataAdapter.Update(myDataSet, DataSetName)
Apparently, if I use the data set method, terrorists will fly planes into buildings and life will end in a spectacular universal explosion. (or something horrible, I'm not sure exactly, something to do with people inserting SQL commands into our data streams?) So I've been recommended method 1 as 'you MUST do it this way!!!1one'.
So my question is then, what's wrong with the dataset method? It it exposes such a massive security risk, why is it there in the first place?
I'm just trying to find the best method for doing database management in ADO.Net and I'm getting conflicting messages. Any advice appreciated, thanks!
"So either of the 2 techniques you show should be capable of
preventing sql injection attacks."
Now I'm really confused. The gotdotnet message boards are telling me
the opposite; that I MUST use parameters because a dataset IS
vulnerable to injection attacks.
*sigh* I'm using a data set now, I'm just going to stick with it.
Frankly, I don't see how "select delete * from sales from sales" is
going to wipe my tables.
Thanks for the response! :)
On Tue, 28 Mar 2006 11:00:04 -0800, Kerry Moorman
<Ke**********@discussions.microsoft.com> wrote: Fred,
SQL injection attacks can occur when an sql command is built up as a string by concatenating sql keywords with data from a textbox, for example.
Using parameters and assigning data to the parameters prevents such attacks.
You are not showing your dataadapter's Insert, Update and Delete commands, which are being called when the dataadapter's Update method is called.
If you examine the adapter's Insert, Update and Delete commands you should see that they are using parameters, just like your first example.
So either of the 2 techniques you show should be capable of preventing sql injection attacks.
Kerry Moorman
"Fred Flintstone" wrote:
What's the difference between these two methods?
1 - Parameterrized SQL queries:
Dim CommandObject As New Data.SqlClient.SqlCommand With CommandObject .Connection = myConnection .Parameters.Clear() .Parameters.Add("@TextField", SqlDbType.NVarChar, 50).Value = TextField .Parameters.Add("@NumField", SqlDbType.Int, 50).Value = NumField .Parameters.Add("@BitField", SqlDbType.Int, 50).Value = BitField .CommandText = "INSERT [Table1]([TextField], [NumField], [BitField]) VALUES(@TextField, @NumField, @BitField);" .ExecuteNonQuery() End With
2 - Dataset method
myDataRow = myDataSet.Tables(DataSetName).NewRow myDataRow("TextField") = TextField myDataRow("NumField") = NumField myDataRow("BitField") = BitField myDataSet.Tables(DataSetName).Rows.Add(myDataRow) mySqlDataAdapter.Update(myDataSet, DataSetName)
Apparently, if I use the data set method, terrorists will fly planes into buildings and life will end in a spectacular universal explosion. (or something horrible, I'm not sure exactly, something to do with people inserting SQL commands into our data streams?) So I've been recommended method 1 as 'you MUST do it this way!!!1one'.
So my question is then, what's wrong with the dataset method? It it exposes such a massive security risk, why is it there in the first place?
I'm just trying to find the best method for doing database management in ADO.Net and I'm getting conflicting messages. Any advice appreciated, thanks! This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Hazzard |
last post by:
I just realized that the code I inherited is using all asp.net server
controls (ie. webform controls) and when I try to update textboxes on the
client side, I lose the new value of the textbox when...
|
by: Pat Carden |
last post by:
Hi,
We need to allow webusers to upload a file on our website (on Server3, all
servers run Server 2003, remotely hosted) and eventually save it on our SBS
Server (Server2) which is not exposed...
|
by: Mr Newbie |
last post by:
I was thinking about developing a workflow application yesterday and was
musing over the different approaches than one could take in restricting
specific actions on a ticket( Form ) at any said...
|
by: Gert |
last post by:
Hi,
I have a form (server side) because of the filling of variables through the
application. But now I need to post it to an url on submit.
My .HTML form looks like this, but how to translate it...
|
by: Nate |
last post by:
We are attempting to make a request to a web service (we will refer to it as
XXXServices) hosted on a Web Logic server from a C# SOAP client. The server
responds with a 401 Unauthorized error...
|
by: Jobs |
last post by:
Download the JAVA , .NET and SQL Server interview with answers
Download the JAVA , .NET and SQL Server interview sheet and rate
yourself. This will help you judge yourself are you really worth of...
|
by: Dean Craig |
last post by:
I'm getting ready to build my first ASP.NET/SQL Server website that will be
hosted on some web host out there (long distance, different network). The
work I've done in the past (pre-.NET) was all...
|
by: David |
last post by:
i think i just realized i'm an idiot. again.
(not syntactically correct code... just pieces to illustrate)
class StateObject
{
members like socket, receiveBuffer, receiveBufferSize,...
|
by: chromis |
last post by:
Hi,
I am trying to setup a web development server on my company's local network, and I am not quite sure what the best method is. I am basically duplicating the software setup on the live hosting...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: marktang |
last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |