|
|
Not another one. Please please please! Will people please learn about SQL Injection Attacks!
If you see someone asking a question like this again the best course is to guide them towards parameterised queries as it helps prevent SQL Injection Attacks. Any answer that still involved injecting data in to a SQL String is potentially dangerous.
Please read SQL Injection Attacks and Tips on How to Prevent Them[^]
|
|
|
|
|
Yes, you don't want an angry Scot after you! 
__________________
Bob is my homeboy.
|
|
|
|
|
"If it's not Scottish - It's CR****P!"
|
|
|
|
|
Dave Kreskowiak wrote: "If it's not Scottish - It's CR****P!"
Gaun yersel there, Big Yin.
|
|
|
|
|
Colin Angus Mackay wrote: Gaun yersel there, Big Yin.
It took me a minute to figure that one out!  Thank you!
|
|
|
|
|
Colin Angus Mackay wrote: Please please please! Will people please learn about SQL Injection Attacks!
 No kidding...
|
|
|
|
|
I think that you should read what you are linking to yourself. 
If the values are encoded correctly, there is no problem with concatenating string to create an SQL query. It's only if you do it wrong that the code is subject to SQL injections.
Doing it right is not trivial, though, and the methods presented in this thread is for example not at all suitable if you are using an MySQL database. To encode a string for MySQL you would instead replace "\" with "\\", then replace "'" with "\'".
So, using parameterised queries is good advice.  It's not, however, the only way to protect the code against SQL injections.
---
single minded; short sighted; long gone;
|
|
|
|
|
Hi,
I don't know if could exist other problems, but I've resolved the problem doubling the apostrophes:
str="INSERT INTO Table1 VALUES(" & Replace(Var1,"'","''") & ")"
In this way, SQL injection by writing apostrophes is not possible (or it is anyway ?)
Peace!
|
|
|
|
|
But you are still injecting values into the SQL command. If you are injecting values in to the SQL command then attacks are possible. That's why it is called a SQL injection attack.
|
|
|
|
|
It isn't that hard to add in code to prevent the injection attacks, if I may add 
|
|
|
|
|
How to add an event to Runtime Controls(TextBox) in vb6
Iam using VB6. During Form_Load iam creating textbox dynamically.
I want to add a event for the textbox.
Please tell me...
Thanks & Regards
Kumaran
|
|
|
|
|
I guess you have to take help of API's for that , as VB6 don't have any such provision provided for Events
Thanks & Wishes
Navneet Hegde
Nashik
Develop2Program & Program2Develop
|
|
|
|
|
|
Is it possible to get the current user's windows logon password? I have an application which requires the user to logon, but would like to first try and logon with the same user name and password the user has as their windows logon, thus if they are the same, I will not need to ask the user for the logon name and password again.
Steve Jowett
-------------------------
Sometimes a man who deserves to be looked down upon because he is a fool, is only despised only because he is an 'I.T. Consultant'
|
|
|
|
|
Yes Of Course, You have to and if you have no proper right you can't proceed further .
Thanks & wishes
Navneet Hegde
Nashik
Develop2Program & Program2Develop
|
|
|
|
|
My question was, although I did not actually say so, is "How do I get the current user's windows logon password, in VB.NEt code?"
Sorry of not stating my requirement clearly.
Regard
Steve Jowett
-------------------------
Sometimes a man who deserves to be looked down upon because he is a fool, is only despised only because he is an 'I.T. Consultant'
|
|
|
|
|
ok, you mean you want your application to use windows login Authentication and proceed by using that username and password, Great Idea!, I will just try it out and will get back to you.
If I am mistaken please pardon.
Thanks & Regards
Navneet Hegde
Nashik
Develop2Program & Program2Develop
|
|
|
|
|
You can't get the password!!!! How did you ever expect the OS password to be accessible through API??? Microsoft's done some stupid things regarding security, but this is not one of em. The password's hashed anyway. Yeah, you have software that can attempt to crack it. But in a normal PC, a reasonably strong password would take a few days or months to be rebuilt using dictionary cracking, if at all it succeeds.
What you can do is get the current principal of the user and check if that login is within an Windows Role. Ex. if all your users are in the Role named "Administrators", you can get the thread.CurrentPrincipal and check if that Windows principal is in the role named "Administrators". If no, you can prompt for the user name and password again.
Look up the WindowsPrincipal and WindowsIdentity classes for more info.
SG
|
|
|
|
|
i_like_tintin wrote: How did you ever expect the OS password to be accessible through API???
I didn't expect to be able to, but thought I would ask the question, just in case.
Steve Jowett
-------------------------
Sometimes a man who deserves to be looked down upon because he is a fool, is only despised only because he is an 'I.T. Consultant'
|
|
|
|
|
Hi,
I am now providing the code written for you in VB6. I will rewrite it in VB.NET and get back to you when I am free. I didn't find any API to retrieve password or hashed password. So, for username try this. I am providing you two ways. you can use anyone.
'Declare the API functions to access username.<br />
Private Declare Function GetUserName Lib "advapi32.dll" Alias "GetUserNameA" (ByVal lpBuffer As String, nSize As Long) As Long<br />
Private Declare Function GetEnvironmentVariable Lib "kernel32" Alias "GetEnvironmentVariableA" (ByVal lpName As String, ByVal lpBuffer As String, ByVal nSize As Long) As Long<br />
<br />
Dim kName As String * 255 ' For storing username with 255 char buffer.<br />
Dim kEnvVar As String * 255<br />
<br />
Private Sub Command1_Click()<br />
Call GetUserName(kName, 255) ' First method of direct accessing username using API<br />
MsgBox kName<br />
Call GetEnvironmentVariable("USERNAME", kEnvVar, 255) '2nd method which uses windows environment variable to access the username<br />
MsgBox kEnvVar<br />
End Sub
'-----------
' I hope this helps.
' Thanks, Kiran Kumar
|
|
|
|
|
Please use this simple code to retrieve username in vb.net
Public Class Form1<br />
Private Sub Button1_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button1.Click<br />
MessageBox.Show(Environ("USERNAME"))<br />
End Sub<br />
End Class
May I know for what purpose you are using the code to retrieve the windows password? so that I can guide you in another logic.
Thanks,
Kiran Kumar
|
|
|
|
|
Hi Kiran,
I already know how to get the user name, but thanks for spending the time on it. It is appreciated.
To get a user name the .NET way, use :-
UserName = System.Environment.UserName
The reason I was after the windows password, is so that I could then test the logon to the program I as writing, to see if the logon name and password are the same as the windows logon and if so logon to my program without asking the user for logon details again.
It is not necessary, but would have been nice.
Thanks for your time
Steve Jowett
-------------------------
Sometimes a man who deserves to be looked down upon because he is a fool, is only despised only because he is an 'I.T. Consultant'
|
|
|
|
|
Hi all, can i create vpn using vb .net ?how to do , or any suggestion.thank's
|
|
|
|
|
Iam using FlexGrid in VB6.
I need the ScrollBars Always Visible for Flexgrid.
Thanks & Regards
Kumaran
|
|
|
|
General 
News 
Suggestion 
Question 
Bug 
Answer 
Joke 
Praise 
Rant 
Admin 
Submit an article or tip
