ASP.NET Website display wrong data - asp.net

I built a web application using ASP.NET, data stored at SQL Server 2008.
The application is running ok, but once a couple of day the application displays wrong data and i get error when i enter some pages. system return to normal work after 5 minutes by it self.
can someone give a clue what is the problem?
I'm getting error on lines which try to take data from retrieved DataTable:
like:
txtbx_contact_fullname.Text = dt_contact.Rows[0]["Contact_Fullname"].ToString();
or
lbl_Creation_datetime.Text = dt_YC_Last_Transaction.Rows[0]["Creation_datetime"].ToString();
usually these lines works perfect, and there is no reason that the datatable will return empty.
the error i get is:
Column 'xxxxx' does not belong to table.
The Query that retrieve the data is:
SELECT [Request ID],[Creation Date],[Request Status],[Contact Fullname],[Start Date],[Start Time],[End Date],[End Time],[Work Mode],[Comments],[HPM Points],[FA Points]
FROM dbo.vw_All_Requests
WHERE [Request Status] = #YellowCard_Status
ORDER BY [Creation Date] DESC
From some reason some columns do not get back..

txtbx_contact_fullname.Text = dt_contact.Rows[0]["Contact Fullname"].ToString();
lbl_Creation_datetime.Text = dt_YC_Last_Transaction.Rows[0]["Creation datetime"].ToString();

you column name in asp.net code has _ for example full_name but in sql query it does not have _, i don't know you've assigned names to your datatable or not but give attention to this issue ...

if you code is correct. you are calling Creation_datetime from .NET code, but in SQL you have no such column, what you do have is a Creation date only (from your SELECT query).
so, to fix your problem, all you need to do is change
dt_YC_Last_Transaction.Rows[0]["Creation_datetime"]
to
dt_YC_Last_Transaction.Rows[0]["Creation_date"]
after the issue is fixed, you should learn a better way to query the database using explicit names, for example, using objects instead calling the string value... You should learn a bit of Entity Framework and Linq, it will improve your code a lot.

Related

Error with SQLite query, What am I missing?

I've been attempting to increase my knowledge and trying out some challenges. I've been going at this for a solid two weeks now finished most of the challenge but this one part remains. The error is shown below, what am i not understanding?
Error in sqlite query: update users set last_browser= 'mozilla' + select sql from sqlite_master'', last_time= '13-04-2019' where id = '14'
edited for clarity:
I'm trying a CTF challenge and I'm completely new to this kind of thing so I'm learning as I go. There is a login page with test credentials we can use for obtaining many of the flags. I have obtained most of the flags and this is the last one that remains.
After I login on the webapp with the provided test credentials, the following messages appear: this link
The question for the flag is "What value is hidden in the database table secret?"
So from the previous image, I have attempted to use sql injection to obtain value. This is done by using burp suite and attempting to inject through the user-agent.
I have gone through trying to use many variants of the injection attempt shown above. Im struggling to find out where I am going wrong, especially since the second single-quote is added automatically in the query. I've gone through the sqlite documentation and examples of sql injection, but I cannot sem to understand what I am doing wrong or how to get that to work.
A subquery such as select sql from sqlite_master should be enclosed in brackets.
So you'd want
update user set last_browser= 'mozilla' + (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
Although I don't think that will achieve what you want, which isn't clear. A simple test results in :-
You may want a concatenation of the strings, so instead of + use ||. e.g.
update user set last_browser= 'mozilla' || (select sql from sqlite_master''), last_time= '13-04-2019' where id = '14';
In which case you'd get something like :-
Thanks for everyone's input, I've worked this out.
The sql query was set up like this:
update users set last_browser= '$user-agent', last_time= '$current_date' where id = '$id_of_user'
edited user-agent with burp suite to be:
Mozilla', last_browser=(select sql from sqlite_master where type='table' limit 0,1), last_time='13-04-2019
Iterated with that found all tables and columns and flags. Rather time consuming but could not find a way to optimise.

Stored Procedure works fine from SQL Mgt Studio but throws Invalid Object name #AllActiveOrders from MVC app

I can run the 'guts' of my stored procedure as a giant query.. just fine from SQL Management Studio. Furthermore, I can even right click and 'execute' the stored procedure - .. y'know.. run it as a stored procedure - from SQL Management Studio.
When my ASP.NET MVC app goes to run this stored procedure, I get issues..
System.Data.SqlClient.SqlException: Invalid object name '#AllActiveOrders'.
Does the impersonation account that ASP.NET runs under need special permissions? That can't be it.. even when I run it locally from my Visual Studio (under my login account) I also get the temp table error message.
EDIT: Furthermore, it seems to work fine when called from one ASP.NET app (which is using a WCF service / ADO.NET to call the stored procedure) but does not work from a different ASP.NET app (which calls the stored proc directly using ADO.NET)
FURTHERMORE: The MVC app that doesn't crash, does pass in some parameters to the stored procedure, while the crashing app runs the Stored Proc with default parameters (doesn't pass any in). FWIW - when I run the stored procedure in SQL Mgt. Studio, it's with default parameters (and it doesn't crash).
If it's of any worth, I did have to fix a 'String or Binary data would be truncated' issue just prior to this situation. I went into this massive query and fixed the temptable definition (a different one) that I knew to be the problem (since I had just edited it a day or so ago). I was able to see the 'String/Binary truncation' issue in SQL Mgt. Studio / as well as resolve the issue in SQL Mgt Studio.. but, I'm really stumped as to why I cannot see the 'Invalid Object name' issue in SQL Mgt. Studio
Stored procedures and temp tables generally don't mix well with strongly typed implementations of database objects (ado, datasets, I'm sure there's others).
If you change your #temp table to a #variable table that should fix your issue.
(Apparently) this works in some cases:
IF 1=0 BEGIN
SET FMTONLY OFF
END
Although according to http://msdn.microsoft.com/en-us/library/ms173839.aspx, the functionality is considered deprecated.
An example on how to change from temp table to var table would be like:
create table #tempTable (id int, someVal varchar(50))
to:
declare #tempTable table (id int, someval varchar(50))
There are a few differences between temp and var tables you should consider:
What's the difference between a temp table and table variable in SQL Server?
When should I use a table variable vs temporary table in sql server?
Ok. Figured it out with the help of my colleague who did some better Google-fu than I had done prior..
First, we CAN indeed make SQL Management Studio puke on my stored procedure by adding the FMTONLY option:
SET FMTONLY ON;
EXEC [dbo].[My_MassiveStackOfSubQueriesToProduceADigestDataSet]
GO
Now, on to my two competing ASP.NET applications... why one of them worked and one of them didn't? Under the covers, both essentially used an ADO.NET System.Data.SqlClient.SqlDataAdapter to go get the data and each performed a .Fill(DataSet1)
However, the one that was crashing was trying to get the schema in advanced of the data, instead of just deriving the schema after the fact.. so, it was this line of code that was killing it:
da.FillSchema(DataSet1, SchemaType.Mapped)
If you're struggling with this same issue that I've had, you may have come across forums like this from MSDN which are all over the internets - which explain the details of what's going on quite adequately. It had just never occurred to me that when I called "FillSchema" that I was essentially tripping over this same issue.
Now I know!!!
Following on from bkwdesign's answer about finding the problem was due to ADO.NET DataAdapter.FillSchema using SET FMTONLY ON, I had a similar problem. This is how I dealt with it:
I found the simplest solution was to short-circuit the stored proc, returning a dummy recordset FillSchema could use. So at the top of the stored proc I added something like:
IF 1 = 0
BEGIN;
SELECT CAST(0 as INT) AS ID,
CAST(NULL AS VARCHAR(10)) AS SomTextCol,
...;
RETURN 0;
END;
The columns of the select statement are identical in name, data type and order to the schema of the recordset that will be returned from the stored proc when it executes normally.
The RETURN ensures that FillSchema doesn't look at the rest of the stored proc, and so avoids problems with temp tables.

XOJO delete a record from SQLite database

I am using Xojo 2013 Version 1. I am trying to delete a record from a SQLite database. But I am failing miserably. Instead of deleting the record, it duplicates it for some reason.
Here is the code that I use:
command = "DELETE * from names where ID = 10"
namesDB.SQLExecute(command)
I am dynamically generating command. but however I change it it always does the same. Same result with or without quotes.
Any ideas?
The very first thing I would do is check to see if there is an error being generated.
if namesDB.Error then
dim s as string = namesDB.errorMessage
msgbox s
return
end
It will tell you if there's a database error and what the error is. If there's no error then the problem lies elsewhere.
FWIW, always, always, always check the error bit after every db operation. Unlike other languages, Xojo does NOT generate/throw an exception if there's a database error so it's up to you to check it.
Try calling Commit().
I just made a sample SQLite database with a "names" table, and this code worked fine:
db.SQLExecute("Delete from names where ID=2")
db.Commit
I have done a lot of work with XOJO and SQLite, and they work well together. I have never seen a record duplicated erroneously as you report. That is very weird. If this doesn't help, post more of your code. For example, I assume your "command" variable is a String, but maybe it's a Variant, etc.
I think on SQLite you don't need the * between the DELETE and the FROM.

Get data from a Dataset by parameter in WHERE clause

I'm following a tutorial where they explain how to add a Dataset to your ASP.NET web application and how to add a parameter to a SQL query. But it's not really working for me the way they are doing it in the tutorial.
I've added a Dataset to my App_Code folder. In the dataset i made a connection to a database in SQL Server. Now i can get data from my database by giving the dataset a SQL query. In the tutorial they do something like this:
SELECT TOP 20 [ProductID]
,[Name]
,[ProductNumber]
,[MakeFlag]
,[FinishedGoodsFlag]
,[Color]
,[SafetyStockLevel]
FROM [Production].[Product]
WHERE (Color = :Color)
The point in this example is the :Color part. That is how they let it know where to add the parameter. But when i use this query in my Dataset it gives me a warning:
Error in WHERE clause near ':'. Unable to parse query text.
After that he is able to actually add a parameter to the Dataset through the Properties window and test preview his data. That doesn't work for me since it already starts to complain when i add my query.
What can i do to solve this problem?
Parameters in Sql-Server have a # in front:
WHERE (Color = #Color)
Configuring Parameters and Parameter Data Types

Getting out a single value from a sql database (asp.net)

I'm trying to get a single value from my table in a database. They are all given a unique id when stored. Here is the code I use to put the in:
With SqlDataSource1
.InsertParameters("page").DefaultValue = ViewState("TrueURL")
If My.User.IsAuthenticated Then
.InsertParameters("sender").DefaultValue = My.User.Name
Else
.InsertParameters("sender").DefaultValue = Request.UserHostAddress.ToString
End If
.InsertParameters("details").DefaultValue = PrepareText(TextBox2.Text)
.InsertParameters("date").DefaultValue = Now()
.Insert()
End With
That was so you could get an idea of what I was looking for, I'm not looking for sql statements, I don't know how to use them.
Just keep in mind, this is all vb.net/asp.net.
Thanks!
--EDIT--
I think I found something useful but I can't find how to use it. The Select function. It returns something and accepts parameters like the insert one I mentioned above... any ideas?
You cant extract it without first running an SQL query to extract it.
If you've got this far, read a little further in the MS help pages about how to run the select querys, this is where you would put your SQL statements.

Resources