I'm a beginner in ASP.NET so I have some questions about how to prevent SQL injection in ASP.NET. My programming language is VB.NET, not C#, and I'm using Microsoft Access as my database.
My questions are:
How to protect my database from SQL injection?
I have been reading postings from other forums and they said using
parameters with stored procedures, parameters with dynamic SQL. Can they be implemented in a Microsoft Access database?
Here is a very simple ASP.NET example using a parameterized query via OleDb in VB.NET:
Default.aspx
<%# Page Title="Home Page" Language="vb" MasterPageFile="~/Site.Master" AutoEventWireup="false"
CodeBehind="Default.aspx.vb" Inherits="vbOleDbSite._Default" %>
<asp:Content ID="HeaderContent" runat="server" ContentPlaceHolderID="HeadContent">
</asp:Content>
<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
<p>
First Name: <asp:TextBox ID="FirstName" runat="server"></asp:TextBox><br />
Last Name: <asp:TextBox ID="LastName" runat="server"></asp:TextBox><br />
<br />
<asp:Button ID="btnAddUser" runat="server" Text="Add User" />
<br />
Status: <span id="spanStatus" runat="server">Awaiting submission...</span>
</p>
</asp:Content>
Default.aspx.vb
Public Class _Default
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
End Sub
Protected Sub btnAddUser_Click(sender As Object, e As EventArgs) Handles btnAddUser.Click
Dim newID As Long = 0
Using con As New OleDb.OleDbConnection
con.ConnectionString = "Provider=Microsoft.ACE.OLEDB.12.0;Data Source=C:\__tmp\testData.accdb;"
con.Open()
Using cmd As New OleDb.OleDbCommand
cmd.Connection = con
cmd.CommandText = "INSERT INTO UsersTable (LastName, FirstName) VALUES (?, ?);"
cmd.Parameters.AddWithValue("?", Me.LastName.Text)
cmd.Parameters.AddWithValue("?", Me.FirstName.Text)
cmd.ExecuteNonQuery()
End Using
Using cmd As New OleDb.OleDbCommand
cmd.Connection = con
cmd.CommandText = "SELECT ##IDENTITY"
newID = cmd.ExecuteScalar()
End Using
con.Close()
End Using
Me.spanStatus.InnerText = "User """ & Me.FirstName.Text & " " & Me.LastName.Text & _
""" has been added (ID: " & newID.ToString() & ")."
End Sub
End Class
Notes:
The parameterized query uses "?" instead of "real" names for the parameters because Access OLEDB ignores parameter names. The parameters must be defined in the exact order that they appear in the OleDbCommand.CommandText.
The [UsersTable] table has an AutoNumber primary key, and SELECT ##IDENTITY retrieves the new key value created by the INSERT INTO statement.
Related
I have a website and when a user logs in they can see their own information (username and a grid containing information about their medicines). This did load but now since I have moved it only loads the logged in user's username and does not display the grid that held their medicine information.I moved my project file from my laptop on to my college computer and ensured to change the location of where I was loading the data from :
Previously
"Data Source=(LocalDB)\v11.0;AttachDbFilename=C:\Users\Laura\Final_proj\App_Data\surgerydb.mdf;Integrated Security=True;Connect Timeout=30"
Now:
"Data Source=(LocalDB)\v11.0;AttachDbFilename=|DataDirectory|\surgerydb.mdf;Integrated Security=True;Connect Timeout=30"
This should work as the login uses the same data directory source and logs the user in. They are then redirected to the user.aspx page but now the grid does not display
user.aspx page (the query doesnt seem to be even running on this:
Imports System.Data.SqlClient
Imports System.Data
Partial Class Pages_user
Inherits System.Web.UI.Page
Sub Page_Load(ByVal Sender As System.Object, ByVal e As System.EventArgs)
If Not IsPostBack Then
Dim conn As New System.Data.SqlClient.SqlConnection("Data Source=(LocalDB)\v11.0;AttachDbFilename=|DataDirectory|\surgerydb.mdf;Integrated Security=True;Connect Timeout=30")
Dim cmdstring As String = "SELECT md.MedicineId, md.Name, md.Purpose, md.Instrcutions, DoctorId " +
"FROM Patient pt INNER JOIN prescription pr ON pt.PatientId = pr.PatientId " +
"INNER JOIN medicine md ON md.MedicineId = pr.MedicineId Where pt.PatientId = #PatientId"
Dim dt As New System.Data.DataTable()
Dim da As New System.Data.SqlClient.SqlDataAdapter(cmdstring, conn)
da.SelectCommand.Parameters.Add("#PatientId", System.Data.SqlDbType.Int).Value = CInt(Session("PatientId").ToString())
conn.Open()
da.Fill(dt)
conn.Close()
GridView1.DataSource = dt
GridView1.DataBind()
End If
End Sub
Protected Sub GridView1_RowCommand(sender As Object, e As GridViewCommandEventArgs)
If e.CommandName = "UpdateMedicine" Then
Dim medecineID As Integer = Integer.Parse(e.CommandArgument.ToString())
End If
End Sub
The grid:
<asp:Content ID="Content3" ContentPlaceHolderID="contentbody" runat="Server">
<p>
Please Select Your Medication
</p>
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="false" OnRowCommand="GridView1_RowCommand" >
<Columns>
<asp:TemplateField>
<ItemTemplate>
<asp:LinkButton runat="server" Text="Select" CommandName="UpdateMedicine" CommandArgument='<%# Eval("MedicineId") %>' />
</ItemTemplate>
</asp:TemplateField>
<asp:BoundField DataField="Name" HeaderText="Name" />
<asp:BoundField DataField="Purpose" HeaderText="Purpose" />
<asp:BoundField DataField="Instrcutions" HeaderText="Instructions" />
</Columns>
</asp:GridView>
</asp:Content>
What it looked like previously:
Hopefully someone can help
kind regards
After discussion, it turns out that Page_Load was not called, since AutoEventWireup was turned off and the event handler was not specified in code-behind. Either one of these two changes should work:
The event to handle can be specified in code-behind:
Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
or AutoEventWireup can be turned on in the markup file:
<%# Page AutoEventWireup="true" ... %>
In an ASP.NET WebForms application there are just two controls in an aspx page, a DropDownList and a GridView. There is no default selected value of DropDownList on Page_Load. Changing the selection in DropDownList populates GridView accurately.
When the page is requested with a URL parameter such as .../View_Details.aspx?C_ID=123, the selected value in DropDownList changes but GridView does not populate for the first time but refreshing the page shows the records for given URL parameter.
ASPX markup:
<%# Page Title="Data" Language="vb" AutoEventWireup="false" MasterPageFile="~/HomePage.Master" CodeBehind="View_Details.aspx.vb" Inherits="App1.View_Details" %>
<asp:Content ID="Content4" ContentPlaceHolderID="BodyCP" runat="server">
<asp:DropDownList ID="CIDCombo" runat="server" DataSourceID="SqlDSCID" DataTextField="CName" DataValueField="CID" AutoPostBack="true"></asp:DropDownList>
<asp:SqlDataSource ID="SqlDSCID" runat="server" ... ></asp:SqlDataSource>
<asp:GridView ID="gvData" runat="server" AutoGenerateColumns="false">
<Columns>
<asp:BoundField DataField="Fld1" />
<asp:BoundField DataField="Fld2" />
...
</Columns>
</asp:GridView>
</asp:Content>
Code Behind:
Private C_ID As Long
Dim con As SqlConnection = New SqlConnection(ConfigurationManager.Connect...)
Dim cmd As New SqlCommand()
Dim stSqlQry As String = ""
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
C_ID = CLng(Request.QueryString("C_ID"))
If IsPostBack Then
Else
If C_ID > 0 Then
CIDCombo.SelectedValue = C_ID.ToString
LoadGVData(C_ID)
End If
End If
End Sub
Private Sub CIDCombo_SelectedIndexChanged(sender As Object, e As System.EventArgs) Handles CIDCombo.SelectedIndexChanged
If CIDCombo.SelectedIndex >= 0 AndAlso CLng(CIDCombo.SelectedValue) > 0 Then
LoadGVData(CLng(CIDCombo.SelectedValue))
End If
End Sub
Private Sub LoadGVData(ByVal lnCID As Long)
Try
If con.State <> ConnectionState.Open Then con.Open()
Dim da As SqlDataAdapter = New SqlDataAdapter()
stSqlQry = "SELECT Fld1, Fld2 ... WHERE CID = #CID"
da = New SqlDataAdapter()
cmd = New SqlCommand(stSqlQry, con)
cmd.Parameters.AddWithValue("#CID", lnCID)
Dim dtDataTableInc As DataTable = New DataTable("t_Data")
da.SelectCommand = cmd
da.Fill(dtDataTableInc)
'SOME DATA MANIPULATION WITH DATATABLE'
'****************************************************************************'
'DEBUG MODE SHOWS DataTable HAS ROWS BUT DON'T SHOW UP FIRST TIME IN GRIDVIEW'
'****************************************************************************'
gvData.DataSource = dtDataTableInc
gvData.DataBind()
Catch ex As Exception
'EXCEPTION HANDLING
Finally
If con.State <> ConnectionState.Closed Then con.Close()
End Try
End Sub
I see you have AutoEventWireup="false" put it on true.
Just a general note:
When working with DropDownLists and using AutoPostBack=True
make use of an UpdatePanel since the User gets frustrated when he always see a white page flickering :)
if you use an UpdatePanel you use the Onload event to populate your data
and put UpdateMode=Conditional
Good luck and happy coding.
i hope you can help with my issue. I'm trying to fill out a form from my database using a datatable. All seems to work fine but i get no data returned. Can anyone explain why? I've looked at the debug and there seems to be no errors and nothing looks like its failed. Here's my code behind (vb.net)
Imports System.Data
Imports System.Data.SqlClient
Imports System.Net.Mail
Partial Class _Default
Inherits System.Web.UI.Page
Private Sub getData(ByVal user As String)
Dim dt As New DataTable()
Dim constr As String = ConfigurationManager.ConnectionStrings("conn").ConnectionString
Dim connection As New SqlConnection(constr)
connection.Open()
Dim sqlCmd As New SqlCommand("SELECT * from tblContent WHERE CID = #ID", connection)
Dim sqlDa As New SqlDataAdapter(sqlCmd)
sqlCmd.Parameters.AddWithValue("#ID", Request.QueryString("ID"))
sqlDa.Fill(dt)
If dt.Rows.Count > 0 Then
ID.Text = dt.Rows(0)("CID").ToString
TextBox2.Text = dt.Rows(0)("Heading").ToString
TextBox1.Text = dt.Rows(0)("ContText").ToString
Label2.Text = dt.Rows(0)("Location").ToString
End If
connection.Close()
End Sub
Protected Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs)
If Not Page.IsPostBack Then
getData(Me.User.Identity.Name)
End If
End Sub
Presentation layer:
<h2><asp:Label ID="Label2" runat="server" Text=""></asp:Label></h2>
<asp:TextBox ID="ID" runat="server" Visible="false"> </asp:TextBox><br />
<asp:Label ID="Label3" runat="server" Text="Heading" CssClass="label"></asp:Label>
<asp:TextBox ID="TextBox2" TextMode="SingleLine" Text="" runat="server"></asp:TextBox><br />
<asp:Label ID="Label1" runat="server" Text="Content" CssClass="label"></asp:Label><br />
<asp:TextBox ID="TextBox1" TextMode="MultiLine" runat="server"></asp:TextBox>
I'm passing through the ID from another page via the query string (ID=5 as an example). There is data in my database and all labels/textboxes have the right IDs etc. I just can see what's wrong?
Thanks!
You could try to pass the correct type instead of string:
Using sqlDa As New SqlDataAdapter(sqlCmd)
Dim idParam = new SqlParameter("#ID", SqlDbType.Int)
Dim id As Int32
If Not Int32.TryParse(Request.QueryString("ID"), id) Then Throw New Exception("Not a valid ID-parameter!")
idParam.Value = id
sqlDa.SelectCommand.Parameters.Add(idParam)
sqlDa.Fill(dt)
End Using
By the way, also use the Using-statement for the connection. As an aside, you don't need to open/close the connection with SqlDataAdapter.Fill(table) since that is done automatically.
I have found this code and I slightly re-writte it. I want that when I select order value from dropdown list, is showing customer in text below.
I have to say, that I have very little VB programming experience, so I'm stuck here.
Code:
<%# Page Language="VB" Debug="True" Strict="True" %>
<%# Import Namespace="System.Data.Odbc" %>
<%# Import Namespace="System.Data" %>
<%# import Namespace="System.Data.SqlClient" %>
<font face="calibri">
<script runat="server">
Dim connStr As String = "server=MSSQLEXP;database=ppwin1;Uid=sa_ro;pwd=sa_ro"
Sub Userlist_Init(ByVal Sender As Object, ByVal E As EventArgs)
Dim conn As New SqlConnection(connStr)
conn.Open()
Dim sql_user As String
Dim cmd_user As Sqlcommand
sql_User = "SELECT DISTINCT order, customer FROM dbo.T_CUSTOMER ORDER BY order ASC"
cmd_user = New Sqlcommand (sql_user, conn)
finduser.Datasource=cmd_user.ExecuteReader()
finduser.datatextfield = "customer"
finduser.databind()
conn.Close()
End Sub
Sub Finduser_SelectedIndexChanged(ByVal sender As Object, ByVal e As EventArgs)
txtuser.text = finduser.selecteditem.text
End sub
</script>
<html><head><title>Dropdown list from MS SQL DB</title></head>
<body><h1>Dropdown list from MS SQL DB</h1>
<br>
<form runat="server">
<asp:DropDownList ID="finduser" runat="server" AutoPostBack = "true" OnSelectedIndexChanged="Finduser_SelectedIndexChanged" OnInit="userlist_Init">
</asp:DropDownList>
<asp:Label id="txtuser" runat="server" />
</form>
</body>
</html>
Rok
Instead of this
finduser.Datasource = cmd_user.ExecuteReader()
finduser.datatextfield = "customer"
finduser.databind()
Did you tried this?
Dim dr As SqlClient.SqlDataReader = cmd_user.ExecuteReader
finduser.Items.Clear()
While dr.Read()
finduser.Items.Add(new ListItem(dr("customer"),dr("order"))
End While
OR
Dim dr As SqlClient.SqlDataReader
dr = cmd_user.ExecuteReader
Dim myData as New DataTable
If dr.HasRows Then
myData.Load(dr)
End If
ddldept.datasource = myData
ddldept.DataTextField = "customer"
ddldept.DataValueField = "order"
ddldept.DataBind()
I'm following the tutorial here to try to implement cascading drop down lists using the AJAX toolkit in VS2012, however, I am using MySQL as my database instead. I created a webservice (as the tutorial describes - seen below),
<WebMethod()>
Public Function GetComplex(ByVal knownCategoryValues As String, ByVal category As String) As CascadingDropDownNameValue()
Dim conn As New MySqlConnection("Server=localhost; database=lockout; User ID=root; Pwd=123let?")
conn.Open()
Dim comm As New MySqlCommand("SELECT complex_id, complex_name FROM complex ORDER BY complex_name", conn)
Dim dr As MySqlDataReader = comm.ExecuteReader()
Dim l As New List(Of CascadingDropDownNameValue)
While (dr.Read())
l.Add(New CascadingDropDownNameValue(dr("complex_name").ToString(), dr("complex_id").ToString()))
End While
conn.Close()
Return l.ToArray()
End Function
and I am able to connect to my database and invoke my function. Invoking the function returns the following in my web browser:
<ArrayOfCascadingDropDownNameValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://tempuri.org/">
<CascadingDropDownNameValue>
<name>14 Line</name>
<value>1</value>
<isDefaultValue>false</isDefaultValue>
</CascadingDropDownNameValue>
<CascadingDropDownNameValue>
<name>16 Line</name>
<value>2</value>
<isDefaultValue>false</isDefaultValue>
</CascadingDropDownNameValue>
<CascadingDropDownNameValue>
<name>Converting</name>
<value>3</value>
<isDefaultValue>false</isDefaultValue>
</CascadingDropDownNameValue>
<CascadingDropDownNameValue>
<name>F&E</name>
<value>4</value>
<isDefaultValue>false</isDefaultValue>
</CascadingDropDownNameValue>
<CascadingDropDownNameValue>
<name>Water Quality</name>
<value>5</value>
<isDefaultValue>false</isDefaultValue>
</CascadingDropDownNameValue>
</ArrayOfCascadingDropDownNameValue>
I can see that I am generating the necessary array, but for some reason, the array does not appear in my drop down list and I'm not sure why. It looks as though I have covered everything in the tutorial, but I just can't seem to get it to work. Shown below is my .aspx file.
<%# Page Title="LockoutNew" Language="VB" MasterPageFile="~/Site.Master" AutoEventWireup="true" CodeBehind="LockoutNew.aspx.vb" Inherits="Lockout.LockoutNew" %>
<%# Register assembly="AjaxControlToolkit" namespace="AjaxControlToolkit" tagprefix="ajaxToolkit" %>
<asp:Content runat="server" ID="BodyContent" ContentPlaceHolderID="MainContent">
<div>
Complex: <asp:DropDownList ID="ComplexList" runat="server" /><br />
<!-- Machine: <asp:DropDownList ID="MachineList" runat="server" /><br /> -->
</div>
<ajaxToolkit:CascadingDropDown ID="ccd1" runat="server"
ServicePath="lockoutService.asmx" ServiceMethod="GetComplex"
TargetControlID="ComplexList" Category="Complex"
PromptText="Select Complex" />
<!-- <ajaxToolkit:CascadingDropDown ID="ccd2" runat="server"
ServicePath="lockoutService.asmx.vb" ServiceMethod="GetMachine"
TargetControlID="MachineList" ParentControlID="ComplexList"
Category="Machine"
PromptText="Select Machine" /> -->
</asp:Content>
Any help is greatly appreciated...
I had the same exact issue.
The thing is that when building cascading logic u need to know that the first element is different from the rest.
The first in the chain element does not have any parameters to pass to the method !
Thus your method for the first drop down list must contain no parameters :
Public Function GetComplex() As CascadingDropDownNameValue()
Dim conn As New MySqlConnection("Server=localhost; database=lockout; User ID=root; Pwd=123let?")
conn.Open()
Dim comm As New MySqlCommand("SELECT complex_id, complex_name FROM complex ORDER BY complex_name", conn)
Dim dr As MySqlDataReader = comm.ExecuteReader()
Dim l As New List(Of CascadingDropDownNameValue)
While (dr.Read())
l.Add(New CascadingDropDownNameValue(dr("complex_name").ToString(), dr("complex_id").ToString()))
End While
conn.Close()
Return l.ToArray()
End Function