You searched for the word(s): userid:847194

More Search Options

RSS Available

• Listbox Server Control, Dynamic Query, SQL Injection

  Hello everyone, I have a noob question... I'm using a Listbox server control to build a dynamic query. Is this practice vulnerable to SQL Injection? I've read that it's possible that someone could save a web page to their local machine, alter the HTML and post data, doing damage with SQL Injections, but I wasn't sure if ASP.NET somehow was able to tell if the data was coming from a form on the server or from a user's machine.

  Posted to SQL Server, SQL Server Express, and SqlDataSource Control (Forum) by yoyodesuyo on 10/12/2009

• Re: Listbox Server Control, Dynamic Query, SQL Injection

  Hi Naom, thanks for the reply. I’m using the Listbox server control to allow users to select more than one item. I use the following code: Dim ListCount As Integer Dim CycleSpot As Integer = 0 If ListBox1.GetSelectedIndices().GetLength(0) = 0 Then myquery = myquery Else myquery = myquery & “ AND (“ ListCount = ListBox1.GetSelectedIndices().GetLength(0) End If For Each li As ListItem In ListBox1.Items If li.Selected = True Then myquery += “MyTable.Area = ‘“ & li.Text & “‘“ CycleSpot =

  Posted to SQL Server, SQL Server Express, and SqlDataSource Control (Forum) by yoyodesuyo on 10/12/2009

• Re: Listbox Server Control, Dynamic Query, SQL Injection

  So, doing that would make my query more secure? I (think I) understand that the stored procedure in that example splits the values, but I have no clue what to do next. Would I then use parameters with the stored procedure..? Do you know a good place to learn more about stored procedures from the ground up? Maybe even a book? Thanks!

  Posted to SQL Server, SQL Server Express, and SqlDataSource Control (Forum) by yoyodesuyo on 10/12/2009

• Re: Custom Membership Provider - works with sqlexpress, but not with sql2000

  [quote user="integrasol"] You need to sign your membership provider and add it to the GAC, before registering it. This is one way of doing it, http://support.microsoft.com/kb/815808 . Mind you, if you are using any other edition of VS 2008 than the Express edition, you should be able to create and use a new key file (.snk) from the property pages for your project. I believe the tab is called Signing. Once you have signed the assembly and copied it to the GAC, you need to retrieve the public

  Posted to Security (Forum) by yoyodesuyo on 9/8/2009

• Re: Custom Membership Provider - works with sqlexpress, but not with sql2000

  Thanks for your help, Carsten. I'll give that a try. I was also wondering... are these steps necessary anytime a custom membership provider is used, or does this have something to do with the way my webserver is set up?

  Posted to Security (Forum) by yoyodesuyo on 9/7/2009

• Re: Custom Membership Provider - works with sqlexpress, but not with sql2000

  While browsing through IIS, I noticed that when I click on .NET Users, I get a message that says: "This feature cannot be used because the default provider type could not be determined to check whether it is a trusted provider. You can use this feature only when the default provider is a trusted provider. If you are a server adminstrator, you can make a provider a trusted provider by adding the provider type to the trusted providers list in the Administration.config file. The provider has to

  Posted to Security (Forum) by yoyodesuyo on 9/4/2009

• Re: Custom Membership Provider - works with sqlexpress, but not with sql2000

  I think that's a step in the right direction. This time, I received an error message (I can't believe I'm happy to see an error message :P) The error message that I received is: Could not find stored procedure 'dbo.aspnet_CheckSchemaVersion'

  Posted to Security (Forum) by yoyodesuyo on 9/4/2009

• Re: Custom Membership Provider - works with sqlexpress, but not with sql2000

  Oops! I think I spoke too soon. http://forums.asp.net/p/1295705/2514811.aspx. I think I received the error because I changed the type to: "System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" The type should be "MyMembershipProvider", right? If so, I'm back to not getting error message... but I'm still not able to log in.

  Posted to Security (Forum) by yoyodesuyo on 9/4/2009

• Re: Custom Membership Provider - works with sqlexpress, but not with sql2000

  Here's how I have my web.config file set up: <connectionStrings> <add name="MyConnectionString" connectionString="Server=MyServer;Database=mydb;User ID=myusers;Password=mypass" providerName="System.Data.SqlClient" /> </connectionStrings> <authentication mode="Forms" /> <membership defaultProvider="HbrMembershipProvider"> <providers> <add name="MyMembershipProvider" type="MyMembershipProvider"

  Posted to Security (Forum) by yoyodesuyo on 9/3/2009

• Re: Custom Membership Provider - works with sqlexpress, but not with sql2000

  When I check the webserver's application pool under Process Model, it says that NetworkService is the identity. I opened SQL Server Enterprise Manager and checked the Logins that are listed in Security and NetworkService isn't listed. (The user name and password of the connection string that I'm using is listed) I tried adding NetworkService as a new login, but I'm probably not not doing it right since it still doesn't work...

  Posted to Security (Forum) by yoyodesuyo on 9/2/2009