Sql Injection Errors

Question

0.00/5 (No votes)

See more:

Hi
Please Help Me to solve my problem

1. In Forms we have text box & button to search inside the grid

2.I called grid during pageload & also in button event.
3.in textbox if i specify <insert> and fired the button event
I got error message like "A potentially dangerous request for value was detected from the client......"

To Rectify this problem

1st Method

<%@page Validaterequest ="false"...%>
then also I am getting same problem.

2nd Method

I used Regular Expression Validator

During Regular Expression validator I solved this problem

Any other method to solve the sql injection errors

please help me to solve this problem

Thanks

Sheethal

Posted 4-May-12 0:10am

smsheethal

Add a Solution

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Anil Honey 206 · Answer 1 · 2012-05-04T01:47:00

Solution 1

USE Parameters to pass the values and also StoredProcedures then u cannot affect sqlinjections.

Posted 4-May-12 1:47am

Anil Honey 206

Comments

smsheethal 4-May-12 8:00am

I used parameter functions

My code like this:
cmd.parameters.Add(New sqlparameter("@search" "%" +search+"%"));

if i not use validator it will not allow go inside.

for testing please use this syntax to know the exact problem

<insert ""="">

smsheethal 4-May-12 8:01am

I used parameter functions
My code like this:
cmd.parameters.Add(New sqlparameter("@search" "%" +search+"%"));
if i not use validator it will not allow go inside. for testing please use this syntax to know the exact problem <insert ""="">

Anil Honey 206 4-May-12 8:18am

cmd.parameters.Add(New sqlparameter("@search" "%" +search+"%"));

this line is wrong ur not set the Properties that's why sql injection will effects.Frist u set the property for that search .Then it will work fine.

Anil Honey 206 4-May-12 8:22am

Begin

select * from SchoolDetailsInfo where strSchoolName LIKE '%' + @SchoolName +'%'

End

u use this in stored procedure