Updating Records - Hackers -Abusive Users

Plateforme Level Extreme

Abonnement

Profil corporatif

Produits & Services

Support

Légal

English

Updating Records - Hackers -Abusive Users

Message

29/03/2004 15:40:04

Cathi Gero
Prenia Software & Consulting Services
Redmond, Washington, États-Unis

29/03/2004 13:30:38

Shawn Dorion
GeoSektor.com/Applications4u.com
Cardinal, Ontario, Canada

Information générale

Forum:

ASP.NET

Catégorie:

Autre

Titre:

Re: Updating Records - Hackers -Abusive Users

Divers

Thread ID:

00890533

Message ID:

00890579

Vues:

Hi Shawn,

You will need to update the code to match the new table structure but in the next version of Visual Studio (VS 2005), using partial classes will make this much easier. You can automate the regeneration of the Insert/Update/Delete parameters used in your business classes into a separate file without disturbing the rest of the class code.

>Sorry for being so long, Questions is about the bottom, I made it long so you have an understanding of what I am talking about.
>
>In the process of building my website I have, come across a piece in the help from MM(I hope this okay that I posted it) that said....
>
>

>If you concatenate strings to build query statements, you can open your system to malicious SQL injection attacks from hackers. Take for example the following code sample shown at the beginning of this topic:
>
>In C#:
>public DataSet GetOrdersByCustomerID(string custID)
>{
>	mmDataSet dsOrders = this.GetDataSet("SELECT * FROM Orders WHERE CustomerID = '" +
>		custID + "'");
>
>	return dsOrders;
>}
>In VB .NET:
>
>
>Public Function GetOrdersByCustomerID(custID As String) As DataSet
>	Dim dsOrders As mmDataSet = Me.GetDataSet( _
>		"SELECT * FROM Orders WHERE CustomerID = '" & custID & "'")
>
>	Return dsOrders
>End Function
>Someone with malicious intent could pass the following customer ID value to this method:
>
>"1' DROP table employees --"
>When this value is concatenated to your SQL statement, you get the following:
>
>
>SELECT * FROM
>Orders WHERE CustomerID = '1'
>DROP table employees
>Executing this SQL command completely removes the Employees table from your database! The reason this works is because a double-hyphen "--" is a comment operator in SQL that causes the final single quote to be ignored by SQL Server.
>
>

>
>Now, when i follow the route of creating a commandobject, it creates the following :
>
>

>		private void InitializeComponent()
>		{
>			this.sqlDataAdapter1 = new System.Data.SqlClient.SqlDataAdapter();
>			this.sqlSelectCommand1 = new System.Data.SqlClient.SqlCommand();
>			this.sqlInsertCommand1 = new System.Data.SqlClient.SqlCommand();
>			this.sqlUpdateCommand1 = new System.Data.SqlClient.SqlCommand();
>			this.sqlDeleteCommand1 = new System.Data.SqlClient.SqlCommand();
>			this.sqlConnection1 = new System.Data.SqlClient.SqlConnection();
>			//
>			// sqlDataAdapter1
>			//
>			this.sqlDataAdapter1.DeleteCommand = this.sqlDeleteCommand1;
>			this.sqlDataAdapter1.InsertCommand = this.sqlInsertCommand1;
>			this.sqlDataAdapter1.SelectCommand = this.sqlSelectCommand1;
>			this.sqlDataAdapter1.TableMappings.AddRange(new System.Data.Common.DataTableMapping[] {
>																									  new System.Data.Common.DataTableMapping("Table", "clients", new System.Data.Common.DataColumnMapping[] {
>																																																				 new System.Data.Common.DataColumnMapping("ClientID", "ClientID"),
>																																																				 new System.Data.Common.DataColumnMapping("ClientName", "ClientName")})});
>			this.sqlDataAdapter1.UpdateCommand = this.sqlUpdateCommand1;
>			//
>			// sqlSelectCommand1
>			//
>			this.sqlSelectCommand1.CommandText = "SELECT ClientID, ClientName FROM clients";
>			this.sqlSelectCommand1.Connection = this.sqlConnection1;
>			//
>			// sqlInsertCommand1
>			//
>			this.sqlInsertCommand1.CommandText = "INSERT INTO clients(ClientName) VALUES (@ClientName); SELECT ClientID, ClientName" +
>				" FROM clients WHERE (ClientID = @@IDENTITY)";
>			this.sqlInsertCommand1.Connection = this.sqlConnection1;
>			this.sqlInsertCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@ClientName", System.Data.SqlDbType.VarChar, 200, "ClientName"));
>			//
>			// sqlUpdateCommand1
>			//
>			this.sqlUpdateCommand1.CommandText = "UPDATE clients SET ClientName = @ClientName WHERE (ClientID = @Original_ClientID)" +
>				" AND (ClientName = @Original_ClientName OR @Original_ClientName IS NULL AND Clie" +
>				"ntName IS NULL); SELECT ClientID, ClientName FROM clients WHERE (ClientID = @Cli" +
>				"entID)";
>			this.sqlUpdateCommand1.Connection = this.sqlConnection1;
>			this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@ClientName", System.Data.SqlDbType.VarChar, 200, "ClientName"));
>			this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientID", System.Data.SqlDbType.Int, 4, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientID", System.Data.DataRowVersion.Original, null));
>			this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientName", System.Data.SqlDbType.VarChar, 200, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientName", System.Data.DataRowVersion.Original, null));
>			this.sqlUpdateCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@ClientID", System.Data.SqlDbType.Int, 4, "ClientID"));
>			//
>			// sqlDeleteCommand1
>			//
>			this.sqlDeleteCommand1.CommandText = "DELETE FROM clients WHERE (ClientID = @Original_ClientID) AND (ClientName = @Orig" +
>				"inal_ClientName OR @Original_ClientName IS NULL AND ClientName IS NULL)";
>			this.sqlDeleteCommand1.Connection = this.sqlConnection1;
>			this.sqlDeleteCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientID", System.Data.SqlDbType.Int, 4, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientID", System.Data.DataRowVersion.Original, null));
>			this.sqlDeleteCommand1.Parameters.Add(new System.Data.SqlClient.SqlParameter("@Original_ClientName", System.Data.SqlDbType.VarChar, 200, System.Data.ParameterDirection.Input, false, ((System.Byte)(0)), ((System.Byte)(0)), "ClientName", System.Data.DataRowVersion.Original, null));
>			//
>			// sqlConnection1
>			//
>			this.sqlConnection1.ConnectionString = "workstation id=zzzzzzz;packet size=4096;user id=zzzzz;data source=zzzzzzzzzzzzz;" +
>				"persist security info=False;initial catalog=zzzzzzzzzzzz";
>
>		}
>
>

>
>
>If I change the table structure I have to modify the above component every time, I understand that I should have the structure done but what do we do when we want to add new fields in 5 years from now?
>
>Is there a better way?
>
>This info is all contained in the business object inside a separate project(as suggested by MM - I think this is a great idea by the way!)
>
>
>TIA

-----------------------------------------

Cathi Gero, CPA
Prenia Software & Consulting Services
Microsoft C# / .NET MVP
Mere Mortals for .NET MVP
cgero@prenia.com
www.prenia.com
Weblog: blogs.prenia.com/cathi

Répondre

Fil

Voir

Click here to load this message in the networking platform