 |
BOOK: Beginning ASP.NET 1.0
 | This is the forum to discuss the Wrox book Beginning ASP.NET 1.0 with C# by Chris Goode, John Kauffman, Christopher L. Miller, Neil Raybould, S. Srinivasa Sivakumar, Dave Sussman, Ollie Cornes, Rob Birdwell, Matt Butler, Gary Johnson, Ajoy Krishnamoorthy, Juan T. Llibre, Chris Ullman; ISBN: 9780764543708 |
|
Welcome to the p2p.wrox.com Forums.
You are currently viewing the BOOK: Beginning ASP.NET 1.0 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
|
|
|
|
|
May 17th, 2004, 04:15 PM
|
|
Authorized User
|
|
Join Date: Mar 2004
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Hi,
I guess if you use stored procedures then you don't have to worry about SQL injection attack.
Quote:
quote:Originally posted by bmains
Stu,
By the way, to prevent against SQL injection attacks, you may want to not allow characters such as "--", "*", etc., because that may alter the SQL string that you are running against.
If you want to know more about it, here is an example from a web site. There is a link to the answers at the bottom of the page:
http://www.counterhack.net/when_trin...he_irs_d-.html
Brian
|
|
|
May 18th, 2004, 08:34 AM
|
|
Friend of Wrox
|
|
Join Date: Jun 2003
Posts: 1,998
Thanks: 0
Thanked 3 Times in 3 Posts
|
|
Hello,
Yes, using stored procedures definitely helps, although it also depends on how you code your stored procedure too.
Brian
|
|
May 18th, 2004, 04:06 PM
|
|
Authorized User
|
|
Join Date: Mar 2004
Posts: 28
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Hi Brian,
It is probably not a correct section of this forum to ask this question but could you elaborate on your comment please?
How should a stored procedure be written to avoid SQL Inj Atts?
Thanks
Quote:
quote:Originally posted by bmains
Hello,
Yes, using stored procedures definitely helps, although it also depends on how you code your stored procedure too.
Brian
|
|
|
May 19th, 2004, 08:04 AM
|
|
Friend of Wrox
|
|
Join Date: Jun 2003
Posts: 1,998
Thanks: 0
Thanked 3 Times in 3 Posts
|
|
Hey,
Please note that I'm a SQL Server guy. Creating a proc can be SQL injection safe, however, if you create a dynamic SQL string and execute it using exec or sp_executeSQL (which I've done), you can run into problems with SQL injection. I just tested out a query on my machine and was able to retrieve information from SQL server that the user shouldn't be able to use.
It also depends on how you input the information into the system also. Passing the values to be selected from a database through the querystring can pose problems, because that is easily hackable.
Just something to think about,
Brian
|
|
January 6th, 2005, 01:03 PM
|
|
Registered User
|
|
Join Date: Jan 2005
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
|
|
Guys,
I am using regularexpressionvalidator to validate Numbers in a Texbox. I want to allow value like ($430) or -430 in the textbox. Which Expression should I use for that. These value are the amout of the Invoice. I am using ^\$?([1-9]{1}[0-9]{0,2}(\,[0-9]{3})*(\.[0-9]{0,2})?|[1-9]{1}[0-9]{0,}(\.[0-9]{0,2})?|0(\.[0-9]{0,2})?|(\.[0-9]{1,2})?)$
for this. What Should I do to allow "-" sign or ($430) in the value.
any help appreciated.
Thanks
Sudhir
|
|
|
