Sql injection attack - need help changing ASP code

Similar Messages

• Lightswitch Security, Protection against SQL Injection attacks etc.

  Hi all,
  I have been hunting around for some kind of documentation that explains how Lightwitch handles typical web application vunerabilities such as SQL injection attacks.
  In the case of injection attacks it is my understanding the generated code will submit data to the database via names parameters to protect against such things but it would be good to have some official account of how Lightswitch handles relevant OWASP
  issues to help provide assurance to businesses that by relying on a framework such as Lightswitch does not introduce security risks.
  Is anyone aware of such documentation? I found this but it barely scratches the surface:
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  There is this which describes best practices but nothing to say that these practices are adopte within Lightswitch
  http://msdn.microsoft.com/en-us/library/gg481776.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
  Thanks for any help, I am amazed that it is so difficult to find?

  LS is a tool built in top of other technologies including Entity Framework.
  Here is a security doc about EF.
  http://msdn.microsoft.com/en-us/library/vstudio/cc716760(v=vs.100).aspx
  LS uses Linq to Entities and therefore is not susceptible to SQL injection.
  HTH,
  Josh
  PS... the only vulnerability that I'm aware of is when a desktop app is deployed as 2-tier instead of 3-tier.  In that case, the web.config which contains connection strings is on the client machine, which is a risk.  Here is a discussion related
  to db security & 2 vs 3-tier.
  https://social.msdn.microsoft.com/Forums/vstudio/en-US/93e035e0-0d2e-4405-a717-5b3207b3ccac/can-sql-server-application-roles-be-used-in-conjunction-with-lightswitch?forum=lightswitch

• SQL Injection Attacks

  Any Admins aware of possible SQL "injection" attacks like this?
  For example in your web sites login.asp or similar:
  select * from users
  where uname='%value1%'
  and pwd='%value2%'
  where %value1% equals "garbage"
  and %value2% equals "garbage' or TRUE or '"
  select * from users
  where uname='garbage'
  and pwd='garbage' or TRUE or ''
  Useful source of security info:
  http://www.nextgenss.com/news.html
  Get Oracle Security Patches:
  http://otn.oracle.com/deploy/security/alerts.htm
  Adeeva.

  There was an excellent presentation on this and other database attacks at the recent SEOUC conference in Charlotte. You can see the slides by going to http://www.seouc.org. Select "Presentation Abstracts" from the menu and then choose the keynote address. There were a lot of open jaws in the presentation room.
  One technique that we use is to package all SQL used in our websites using bind variables. So the login script you showed would be replaced by a packaged procedure something like this:
  PROCEDURE validate_logon (id_in appusers.id%TYPE, pw_in appusers.password%TYPE)
  RETURN INTEGER
  IS
  x INTEGER;
  sqlstr := 'select count(*) from appusers where id = :1 and password = :2';
  BEGIN
  EXECUTE IMMEDIATE sqlstr INTO x USING id_in, pw_in;
  RETURN x;
  END;
  This would return a positive integer (should always be 1) if the validation succeeds and 0 if it fails. They can't easily inject stuff into this. We used packaged dynamic SQL with bind variables for everything. Also, the account that logs onto the database never has access of any kind to the tables or views, only EXECUTE on the procedures.
  Nothing is foolproof but at least it makes it harder for them.

• SQL Injection attack

  After an SQL injection attack I followed the advice to use
  cfqueryparam in my cfquery statements. Unfortunatley this does not
  seem to have worked as many records in my database have again been
  appended with scripts linking to javascript files on another
  website.
  I haven't coded in Coldfusion in a while and would really
  appreciate it if someone could take a look at the code of one of my
  pages and let me know if I have missed anything or miss coded the
  cfqueryparam tag.
  Thanks in advance
  Neil

  You can add the following code to your application file.
  <!--- CREATE SQL REGULAR EXPRESSION--->
  <cfset sqlregex = "
  (SELECT\s[\w\*\)\(\,\s]+\sFROM\s[\w]+)|
  (UPDATE\s[\w]+\sSET\s[\w\,\'\=]+)|
  (INSERT\sINTO\s[\d\w]+[\s\w\d\)\(\,]*\sVALUES\s\([\d\w\'\,\)]+)|
  (DELETE\sFROM\s[\d\w\'\=]+)|
  (DROP\sTABLE\s[\d\w\'\=]+)">
  <!--- CHECK FORM VARIABLES --->
  <cfloop collection="#form#" item="formelement">
  <cfif isSimpleValue(evaluate(formelement)) AND
  refindnocase(sqlregex, "#evaluate(formelement)#")>
  <cflocation url="messages.cfm?message=Invalid Input.
  Possible SQL Injection attack.">
  <cfset StructClear(form)>
  <cfabort>
  </cfif>
  </cfloop>
  <!--- CHECK URL VARIABLES --->
  <cfloop collection="#url#" item="formelement">
  <cfif isSimpleValue(evaluate(formelement)) AND
  refindnocase(sqlregex, "#evaluate(formelement)#")>
  <cflocation url="messages.cfm?message=Invalid Input.
  Possible SQL Injection attack.">
  <cfset StructClear(url)>
  <cfabort>
  </cfif>
  </cfloop>
  Good luck
  Mamdoh
  P.S: The credit for the script go to sys-con.com

• Preventing Sql Injection Attacks

  Please see my posting on "Sql Injection" in the Technologies\Security forum. I am interested in preventing sql injection attacks on our server. It was difficult to decide where to post it as it is a security issue but it may be general server issue. Or is it???

  It would have helpful if you had either repeated the text of your other post here, or else included a link Sql Injection.
  Tom Best posted a link to an interesting sounding paper in Injection Attack. I haven't had the chance to read it yet, but it is probably the best best place to start (as no-one else posted to that thread).
  Cheers, APC

• Preventing sql injection attack

  string objConn9 = "Provider = MSDAORA;User ID=103109798;Password=password;Data Source=orabis;";
                                OleDbConnection myConnection9 = new OleDbConnection(objConn9);
                                string commandString9 = "INSERT INTO users(username,password)VALUES(:username,:password)";
                                OleDbCommand myCommand9 = new OleDbCommand(commandString9, myConnection9);
                                myCommand9.Parameters.Add(":username", txtUsername.Text);
                                myCommand9.Parameters.Add(":password", txtPassword.Text);
                                myConnection9.Open();
                                myCommand9.ExecuteNonQuery();
                                myConnection9.Close();
  i'm using this code to try to remove the problem of
  users entering a comma or an semi colon and throwing off my query, but its not working...
  is there an easy way to insert text values into oracle 8i
  that contain '; etc without throwing it off. I'm developing through c# and oracle 8i, the problem is most of the code examples are related to sql server and vb.net

  I may be off here, but in this case you appear to be okay. The code snippet you include looks to me like it is using bind variables. If you are using bind variables you are not susceptible to sql injection attacks.
  It is only when concatenating a string together to make a sql statement that injection attacks can occur.
  See
  http://asktom.oracle.com/pls/ask/f?p=4950:8:::::F4950_P8_DISPLAYID:668624442763#18067076079313
  and search for injection.
  Or just go to
  http://asktom.oracle.com
  and search for "sql injection bind variable" for lots of other references.

• Need help in transcation code ime0

  I need help in transaction code ime0. I mean to say what is this TCode doing? What different Drill-down program means? Where I can use this report?
  Regards,
  Subhasish

  Hi
  Please check the link for help
  <a href="http://help.sap.com/saphelp_47x200/helpdata/EN/5c/8db33f555411d189660000e829fbbd/frameset.htm">CA - Drilldown Reporting</a>
  Hope it helps
  Anirban

• I need help with this code error "unreachable statement"

  the error_
  F:\Java\Projects\Tools.java:51: unreachable statement <-----------------------------------------------------------------------------------------------------------------THIS
  int index;
  ^
  F:\Java\Projects\Tools.java:71: missing return statement
  }//end delete method
  ^
  F:\Java\Projects\Tools.java:86: missing return statement
  }//end getrecod
  ^
  3 errors
  import java.util.*;
  import javax.swing.*;
  import java.awt.*;
  public class Tools//tool class
  private int numberOfToolItems;
  private ToolItems[] toolArray = new ToolItems[10];
  public Tools()//array of tool
  numberOfToolItems = 0;
  for(int i = 0; i < toolArray.length; i++)//for loop to create the array tools
  toolArray[i] = new ToolItems();
  }//end for loop
  }//end of array of tools
  public int search(int id)//search mehtod
  int index = 0;
  while (index < numberOfToolItems)//while and if loop search
  if(toolArray[index].getID() == id)
  return index;
  else
  index ++;
  }//en while and if loop
  return -1;
  }//end search method
  public int insert(int id, int numberInStock, int quality, double basePrice, String nm)//insert method
  if(numberOfToolItems >= toolArray.length)
  return 0;
  int index;
  index = search(id); <-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HERE
  if (index == -1)
  toolArray[index].assign(id,numberInStock, quality, basePrice,nm);
  numberInStock ++;
  return 1;
  }//end if index
  }//end if toolitem array
  return -1;
  }//end insert method
  public int delete(/*int id*/)//delete method
  }//end delete method
  public void display()//display method
  for(int i = 0; i < numberOfToolItems; i++)
  //toolArray.display(g,y,x);
  }//end display method
  public String getRecord(int i)//get record method
  // return toolArray[i].getName()+ "ID: "+toolArray[i].getID()
  }//end getrecod
  }//end class
  Edited by: ladsoftware on Oct 9, 2009 6:08 AM
  Edited by: ladsoftware on Oct 9, 2009 6:09 AM
  Edited by: ladsoftware on Oct 9, 2009 6:10 AM
  Edited by: ladsoftware on Oct 9, 2009 6:11 AM

  ladsoftware wrote:
  Subject: Re: I need help with this code error "unreachable statement"
  F:\Java\Projects\Tools.java:51: unreachable statement <-----------------------------------------------------------------------------------------------------------------THIS
  int index;
  ^
  F:\Java\Projects\Tools.java:71: missing return statement
  }//end delete method
  ^
  F:\Java\Projects\Tools.java:86: missing return statement
  }//end getrecod
  ^
  3 errorsThe compiler is telling you exactly what the problems are:
  public int insert(int id, int numberInStock, int quality, double basePrice, String nm)//insert method
  if(numberOfToolItems >= toolArray.length)
  return 0; // <<== HERE you return, so everyting in the if block after this is unreachable
  int index;
  index = search(id);  //< -----------------------------------------------------------------------------------------------------------------HERE
  if (index == -1)
  toolArray[index].assign(id,numberInStock, quality, basePrice,nm);
  numberInStock ++;
  return 1;
  }//end if index
  }//end if toolitem array
  return -1;
  }//end insert method
  public int delete(/*int id*/)//delete method
  // <<== HERE where is the return statement?
  }//end delete method
  public String getRecord(int i)//get record method
  // return toolArray.getName()+ "ID: "+toolArray[i].getID() <<== HERE you commented out the return statement
  }//end getrecod
  }//end class

• I need help with my code..

  hi guys. as the subject says I need help with my code
  the Q for my code is :
  write a program that reads a positive integer x and calculates and prints a floating point number y if :
  y = 1 ? 1/2 + 1/3 - ? + 1/x
  and this is my code
     This program that reads a positive integer x and calculates
     and prints a floating point number y if :
               y = 1 - 1/2 + 1/3 - ? + 1/x
     import java.util.Scanner; // program uses class Scanner
      class Sh7q2
         // main method begins execution of Java application
         public static void main( String args[] )
        // create Scanner to obtain input from command window
           Scanner input = new Scanner( System.in );
           int i = 1; // i is to control the loop
           int n = 2; // n is suppose to control the number sign
           int x; // a positive integer entered by the user
           int m;
           System.out.println("Enter a positive integer");
           x = input.nextInt();
           do
              m = (int) Math.pow( -1, n)/i;
              System.out.println(m);
                 n++;
                 i++;
           while ( m >= 1/x );
        } // end method main
     } // end class Sh7q2 when I compile it there is no error
  but in the run it tells me to enter a positive integer
  suppose i entered 5
  then the result is 1...
  can anyone tell me what's wrong with my code

     This program that reads a positive integer x and calculates
     and prints a floating point number y if :
               y = 1 - 1/2 + 1/3 - ? + 1/x
     import java.util.Scanner; // program uses class Scanner
      class Sh7q2
         // main method begins execution of Java application
         public static void main( String args[] )
        // create Scanner to obtain input from command window
           Scanner input = new Scanner( System.in );
           int i = 1; // i is to control the loop
           int n = 1; // n is suppose to control the number sign
           int x; // a positive integer entered by the user
           double m;
           int a = 1;
           double sum = 0;
           System.out.println("Enter a positive integer");
           x = input.nextInt();
           for ( i = 1; a <= x; i++)
              m =  Math.pow( -1, n+1)/i;
              sum  = sum + m;
              n++;
              a++;
           System.out.print("y = " + sum);
        } // end method main
     } // end class Sh7q2is it right :S

• I need help changing my iTunes syncing for iPad and iPhone when I connect Ed my iPhone to computer it has a different name from my laptop so I can't sync iPhone music from iPad. Please help!!!

  I Need help changing my name on lipad and iPhone to sync. I have two different name1 is from my laptop and the other is from iPad ,so I can't sync iTunes. Please help!!!!!!

  Plug the iphone in and go to the music tab in the iphone,not your itunes library.There will be a button in the borrom right that says autofill. Click that and it should thransfer all your music. It worked for me,and i had the same problem.

• HT5312 Guys, I have forgotten my security question answers, and the rescue email I placed in with my apple id has been closed down as well (it was a university id, when I graduated, the email service expired). I need help changing my password.

  Guys, I have forgotten my security question answers, and the rescue email I placed in with my apple id has been closed down as well (it was a university id, when I graduated, the email service expired). I need help changing my password.

  The Three Best Alternatives for Security Questions and Rescue Mail
      1. Use Apple's Express Lane.
            Go to https://expresslane.apple.com ; click 'See all products and services' at the
            bottom of the page. In the next page click 'More Products and Services, then
            'Apple ID'. In the next page select 'Other Apple ID Topics' then 'Forgotten Apple
            ID security questions' and click 'Continue'.
       2.  Call Apple Support in your country: Customer Service: Contact Apple support.
       3.  Rescue email address and how to reset Apple ID security questions.
  A substitute for using the security questions is to use 2-step verification:
  Two-step verification FAQ Get answers to frequently asked questions about two-step verification for Apple ID.

• I need help changing my security information because i forgot it and i clicked forgot your answers on the apple website and its sopost to send me an email saying how to reset it but i never got an email

  i need help changing my security information because i forgot it and i clicked forgot your answers on the apple website and its sopost to send me an email saying how to reset it but i never got an email.

  Contact iTunes support:
  http://www.apple.com/support/itunes/contact/

• Need Help on this Code Immediately

  Hi Friends,
  Iam very new to java.
  I have a Java Code that iam trying to Run. The Code Compiles fine but it fails on its 3rd Loop where it is trying to Run a report.
  I have the Code part that is errorring out. Can someone please look into the code and tell me if i need to make any changes to the Code.
  The Code when Executed gives an Error "The Client Did Something Wrong".
  Please Help Me!!!
        * Execute a report.
        *@param     path     This is the search path to the report.
        *@param     format     The array that contains the format options (PDF,HTML,etc...)
       public void executeReport(String path,String[] format)
            ParameterValue pv[] = new ParameterValue[]{};
            Option ro[] = new Option[3];
            RunOptionBoolean saveOutput = new RunOptionBoolean();
            RunOptionStringArray rosa = new RunOptionStringArray();
            RunOptionBoolean burstable = new RunOptionBoolean();
            // Define that the report to save the output.
            saveOutput.setName(RunOptionEnum.saveOutput);
            saveOutput.setValue(true);
            // What format do we want the report in: PDF? HTML? XML?
            rosa.setName(RunOptionEnum.outputFormat);
            rosa.setValue(format);
            // Define that the report can be burst.
            burstable.setName(RunOptionEnum.burst);
            burstable.setValue(true);
            // Fill the array with the run options.
            ro[0] = rosa;
            ro[1] = saveOutput;
            ro[2] = burstable;
            try
                 SearchPathSingleObject spSingle = new SearchPathSingleObject();
                 spSingle.setValue(path);
                 // Get the initial response.
                 AsynchReply res = reportService.run(spSingle,pv,ro);
                 // If it has not yet completed, keep waiting until it is done.
                 // In this case, we wait forever.
                 while (res.getStatus() != AsynchReplyStatusEnum.complete && res.getStatus() != AsynchReplyStatusEnum.conversationComplete)
                      res = reportService.wait(res.getPrimaryRequest(), new ParameterValue[]{}, new Option[]{});
                 reportService.release(res.getPrimaryRequest());
                 // Return the final response.
            catch (Exception e)
                 System.out.println(e);
       }

  Guess I was too late. Sorry
  Inestead of posting you need help on code immediately how about intest posting the particular topic that you are working on. It's quite doubtful that you would be here if you didn't have a question.

• Need help with WMI code that will send output to db

  'm new to WMI code writing, so I need some help with writing code that we can store on our server. I want this code to run when a user logs into their computer
  and talks to our server. I also want the code to:
  * check the users computer and find all installed patches
  * the date the patches were installed
  * the serial number of the users computer
  * the computer name, os version, last boot up time, and mac address
  and then have all this output to a database file. At the command prompt I've tried:
  wmic qfe get description, hotfixid
  This does return the patch information I'm looking for, but how do I combine that line of code with:
  wmic os get version, csname, serialnumber, lastbootuptime
  and
  wmic nicconfig get macaddress
  and then get all this to output to a database file?

  Thank you for the links. I checked out http://technet.microsoft.com/en-us/scriptcenter/dd793612.aspx and
  found lots of good information. I also found a good command that will print information to a text file.
  Basically what I'm trying to do is retrieve a list of all installed updates (Windows updates and 3rd party updates). I do like that the below code because it gives me the KB numbers for the Windows updates. I need this information so my IT co-workers &
  I can keep track of which of our user computers need a patch/update installed and preferably which patch/update. The minimum we want to know is which patches / updates have been installed on which computer. If you wondering why we don't have Windows automatic
  updates enable, that's because we are not allowed to.   
  This is my code so far. 
  #if you want the computer name, use this command
  get-content env:computername
  $computer = get-content env:computername
  #list of installed patches
  Get-Hotfix -ComputerName $computer#create a text file listing this information
  Get-Hotfix > 'C:\users\little e\Documents\WMI help\PowerShell\printOutPatchList.txt'
  I know you don't want to tell me the code that will print this out to a database (regardless if it's Access or SQL), and that's find. But maybe you can tell me this. Is it possible to have the results of this sent to a database file or do I need to go into
  SQL and write code for SQL to go out and grab the data from an Excel file or txt file? If I'm understanding this stuff so far, then I suspect that it can be done both ways, but the code needs to be written correctly for this to happen. If it's true, then which
  way is best (code in PowerShell to send information to SQL or SQL go get the information from the text file or Excel file)?

• Urgent Help Changing C code to Java!

  Hi can anyone help me please !
  I need to change the following code from C into Java!
  The Project has to be done by this the Friday 26th April
  < Code in C>
  int textToBmsg(char abuf ,char bbuf,int bbufsize)
  /*takes a text message in 7 bit ascii and converts it to
  *a compressed 8-bit format.
  *return-size of output string
  int aidx; /* index into input string */
  int bidx; /* index into output string */
  int i;
  int c;
  char tmp[SMSTEXTSIZE];
  aidx=0;
  bidx=0;
  while(*(abuf + aidx) != 0 && bidx < bbufsize){
  c = *(abuf+aidx) & 0x7F;
  switch (aidx%8){
  case 0:
  *(tmp + bidx)= c;
  break;
  case 1:
  *(tmp + bidx) |= (c & 0x1)<< 7;
  bidx++;
  *(tmp = bidx) = c >> 1;
  break;
  case 2:
  *(tmp + bidx) |= (c & 0x3) << 6;
  bidx++;
  *(tmp + bidx)= c >> 2;
  break;
  case 3:
  *(tmp + bidx) |= (c & 0x7) << 5;
  bidx++;
  *(tmp + bidx)= c >> 3;
  break;
  case 4:
  *(tmp + bidx) |= (c & 0xF) << 4;
  bidx++;
  *(tmp + bidx)= c >> 4;
  break;
  case 5:
  *(tmp + bidx) |= (c & 0x1F) << 3;
  bidx++;
  *(tmp + bidx)= c >> 5;
  break;
  case 6:
  *(tmp + bidx) |= (c & 0x3F) << 2;
  bidx++;
  *(tmp + bidx)= c >> 6;
  break;
  case 7:
  *(tmp + bidx) |= (c & 0x7F) << 1;
  bidx++;
  break;
  aidx++;
  if ((aidx%8)!= 0 )bidx++;
  itoh(aidx, bbuf, 2); /*length of umcompressed message*/
  bbuf += 2;
  for(i=0; i<bidx; i++){
  itoh(*(tmp+i), bbuf, 2);
  bbuf += 2;
  return bidx*2 + 2;
  </code>
  Tks.in advance,
  HendyJDK

  Thanks for nothing you sad individual, if you ar not
  going to offer anything constructive then please
  keep your opinons to yourself, if you must know I
  stuck for time and trying my best to translate this to
  meet a deadline this Friday, you pompous idiot! Requesting that you refrain from cross-posting isn't pompous and doesn't identify the person who
  makes the request as an idiot. As a matter of fact, he was pointing out that your question was
  answered in the other posting that you made.
  Rather than responding in the manner in which you did, you should have thanked him for his help!
  Mark