Hannes Preishuber - All Comments

re: double qoute against sql injection?

Bob — Fri, 20 Jan 2012 17:44:28 GMT

Using parameterized stored procedures work great, except with db's like MS SQL which allow "stacked" commands. Consider this stored procedure call string, that calls a nice tidy parameterized stored procedure called sp_Login:

"sp_Login '" & username & "', '" & password & "'"

Then consider the hacker who enters the following as the username in the login form...

'; some sql command --

The stored procedure call suddenly becomes...

sp_Login ''; some sql command --, ''

... and since MS SQL can run multiple commands separated by a semi-colon, the hacker is successful in running whatever he pleases on your server, since while the stored procedure fails, his injected command won't. In other words, he doesn't care about the stored procedure at all, if it fails his code still runs (and everything after the -- is ignored). :(

The fix therefore is to do a replace procedure on the user input from querystrings or forms, e.g. replace ' with '' (single apostrophe with double apostrophe). By doing so, the hack attempt creates this sql call string...

sp_Login '''; some sql command --, ''

Which causes an error with the three apostrophes in a row. Legitimate data is not affected, since a double apostrophe is an "escape" for a single apostrophe in SQL.

re: ASP.NET have left the track?

testking — Mon, 21 Nov 2011 06:38:59 GMT

This can be solved by Extremum Energising Communicate Levels 0. CSS adapters snub this scene so that you can use.

Vs2005 dataformatstring | Finappx

Vs2005 dataformatstring | Finappx — Fri, 28 Oct 2011 05:32:42 GMT

Pingback from Vs2005 dataformatstring | Finappx

CLIENT ACCESS PORT | Quality Products Blog

CLIENT ACCESS PORT | Quality Products Blog — Mon, 24 Oct 2011 20:54:42 GMT

Pingback from CLIENT ACCESS PORT | Quality Products Blog

re: Visendo SMTP (pop3) Extender for Windows 2008 Server

dumicodin — Thu, 29 Sep 2011 12:04:17 GMT

Hi Joseph,

try to update the smtp extender using the integrated updater, and check following post about more infos :

forum.visendo.com/default.aspx

re: Silverlight Multiselect Listbox

Adhi — Tue, 27 Sep 2011 03:27:01 GMT

Hi,

How can i Select All / Unselect all items in the checked list box when i click the buttons.

re: Rownumber in Silverlight Datagrid or Listbox

Xmas Cards Text — Mon, 26 Sep 2011 10:18:05 GMT

I want this blog to my favorites! I'll read this site from time to time!

re: Visendo SMTP (pop3) Extender for Windows 2008 Server

Joseph — Thu, 22 Sep 2011 07:29:26 GMT

Iam getting the below error when starting the service

The service did not respond to start or control request in a timely fashion

re: Change cell color in gridview depending the inner value

Shevantha — Fri, 16 Sep 2011 06:07:28 GMT

Good post..

You can do it in client side and reduce the weight on server

its too easy with JavaScript. I found this in a blog site

howsharepoint.blogspot.com/.../javascript-to-color-gridview-cells.html

re: Back on new Blog Software CS

mgmkjo — Thu, 25 Aug 2011 09:59:16 GMT

q7sqI7 <a href="bmqcaqtkdlld.com/.../a>