sql query help

sql query help

• au55ie

  There is a security hole (SQL injection) if you format statements with {0}. Look, if bad guy enter in password box following:

  ';delete from ManagerPass;

  then after string.Format() your statement will be valid SQL statement and after select it will delete all rows from table. Using the same tactics bad guy can insert new user with know password. Or simply erase whole database, etc.

  This is the reason why we always must use parameters in case of user string input goes into statement.

  
  
  

• Brian Harrison

  You welcome

  Cheers!

  
  
  

• Dan Cowell

  Hi!

  
  I think you need parameter here:

  SELECT Tech FROM MangerPass WHERE Password=@Password

  Notes:

  1. I don't think you need to select Password field, because you already know it

  2. If you use C# and SqlCommand - use following statement to add parameter value:

  SqlCommand cmd = new SqlCommand("SELECT Tech FROM MangerPass WHERE Password=@Password");

  cmd.Parameters.AddWithValue("@Password", PasswordTextBox.Text);

  Hint: don't send plain password over network or store it in database, it's security hole. You can ask user to enter password, then compute it's hash and use this hash. For higher security you can encrypt password and compute hash from encrypted data, but for simplistic case you can use this:

  string hash = UnicodeEncoding.Unicode.GetString(

  new System.Security.Cryptography.SHA512Managed().ComputeHash(

  UnicodeEncoding.Unicode.GetBytes(password)));

  Even if somebody read this hash string from database, he will not be able to easily find right password that lead to this hash and he will not be able to type password in the text box.

  
  
  

• -Q

  hi,

  if this is a real password to access to your program  then Follow what S.G said but if its just a field name you can use something like that

  Dim SqlStr as String = String.Formate("Select Tech, Password From ManagerPass Where Password =''{0}'' order By Tech", PasswordTextbox.Text)

  but not something (Password = ") its not double quote its 2 single ones

  hope this helps

  
  
  

• pharita

  hi,

  if that a web application i fully agree for useing things that is much secure

  but i didn't use those things b4 and i didn't learn them yet so i use the easist way to acomplish what i want to do later on i promise you i will learn the best practice and thx for your guide

  best regards

  
  
  

• Bulky

  It's not about password I worry about, but about method of string.Format() with string parameters coming from user. If user authenticated and logged into network and database (or he may be from web no matter) and this is bad user (fired and offended employee last 5 minutes on his working place) - just type

  ';drop salesTable;/*

  and all sales will be gone making a lot of problems for employer. Or I can hijack boss password or confidential data, that I'm not supposed to see. Here you can find a lot of ideas.

  string.Format() works pefrectly on integers or Guid, but it's prohibited on strings (unless you check that user input is not SQL injection attack).

  In case of single computer fully under control of user - why then passwords needed

  So my point of view is that we always must use parameters on strings we want to inject. It's a good habit! Agree

  
  
  

• hussain hammad

  hi,

  Sergey i said if its just a field name and not real password because if its pass word and he use sql first he have to authenticate the user id

  like select * from users where username = 'user name'

  then if the password that was retrieved in this record eqal to the user entery password then then he will simply do something open a form or anything

  no one search table with password so i thought its just a fieldname not real password

  one more thing i'm not sure its a web application or even network application, if the form and the database on a single computer then the bad guy doesn't need all those tactics he will simply delete you entire application and your IDE if he want

  best regards

  
  
  
• sql query help