Re: Novice - Not sure where to start with coding question

If I understand you correctly, and you are building an SQL
query in this
way, then all I can say is, "Don't do it".  You
are just begging for SQL
injection attacks, for one thing.

My own opinion is that you need to sort out the security
aspects before
you sort out the UI: and before you do either, you need to
sit down with
your client and agree a Statement of Requirements.  Good
software cannot
be writen on-the-fly.

Sorry to be negative, but you've a lot to sort out here if
you want to
supply software that is anything like decent.


Peter


-----Original Message-----
From: DotNetDevelopmentgooglegroups.com
[mailtootNetDev
elopmentgooglegroups.com] On Behalf Of BookerT
Sent: 15 February 2007 19:31
To: DotNetDevelopment, VB.NET, C# .NET, ADO.NET, ASP.NET,
XML, XML Web
Services,.NET Remoting
Cc: acnqyahoo.com
Subject: [DotNetDevelopment] Novice - Not sure where to
start with
coding question


I know what I want to do in Laymen's terms, but not sure
where to get
started to even learn what I want to do

I have a text box in a Search screen, where users will input
a last
name.  Once that last name is entered and the Search button
is
pressed, the last name is added to the Response URL, which
then will
take that last name, assign it to a variable, and eventually
use it in
the Query that is built against the Database where that
account is
located.

To complicate matters, my client now wants to be able to put
multiple
last names in the search box, and have that pass through as
an "OR'
Query.. i.e lastname Jones, or Smith.. in addition to the
other search
criteria selected.

As it is currently set up, if you put in multiple last
names, you get
an error because the text box is setup to look for one
continous
string, thus if you put in two last names, one last name
follwed by
hitting the enter key, and on the next line another last
name, it
comes through the code as such:
	"Smith Washington" with two special looking
characters(that look
like
hollow squares) in between Smith and Washington to denote
the Enter
key being hit (I presume).

The error reads as follows:
Redirect URI cannot contain newline characters.
Description: An unhandled exception occurred during the
execution of
the current web request. Please review the stack trace for
more
information about the error and where it originated in the
code.

Exception Details: System.ArgumentException: Redirect URI
cannot
contain newline characters.

Source Error:


Line 171:
Line 172:                sURL = "Students.aspx?"
& sURL
Line 173:                Response.Redirect(sURL)
Line 174:                End If
Line 175:        End If


So in my limited understanding, I was thinking that if I
could make
the textbox an Array, so that whatever names they put in
there,
separated by some sort of delineator, then the Array could
be used
later to dump the names into the Sql query using the
"OR" option


Any ideas, anyone





--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "DotNetDevelopment, VB.NET, C# .NET,
ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting"
group.
To post to this group, send email to DotNetDevelopmentgooglegroups.com
To unsubscribe from this group, send email to
DotNetDevelopment-unsubscribegooglegroups.com
For more options, visit this group at
http:
//cm.megasolutions.net/forums/default.aspx
-~----------~----~----~----~------~----~------~--~---

I am reading up on SQL injection attacks.  Thanks for the
heads up.  I
would like to try an attack to see if it is possible.  The
Code does
build SQL queries in various places, is that bad in general?
 how else
does one pull data from a database without a SQL query.
Currently, you have to have a valid user name and password,
and be a
part of a particualr group in order to access the web front
end, and
there is no outside access to the database from any other
application...


We shall see


Thanks



On Feb 16, 2:58 am, "Bradley, Peter"
<pbrad...uwic.ac.uk> wrote:
> If I understand you correctly, and you are building an
SQL query in this
> way, then all I can say is, "Don't do it". 
You are just begging for SQL
> injection attacks, for one thing.
>
> My own opinion is that you need to sort out the
security aspects before
> you sort out the UI: and before you do either, you need
to sit down with
> your client and agree a Statement of Requirements. 
Good software cannot
> be writen on-the-fly.
>
> Sorry to be negative, but you've a lot to sort out here
if you want to
> supply software that is anything like decent.
>
> Peter
>
>
>
> -----Original Message-----
> From: DotNetDevelopmentgooglegroups.com
>
> [mailtootNetDev
elopmentgooglegroups.com] On Behalf Of BookerT
> Sent: 15 February 2007 19:31
> To: DotNetDevelopment, VB.NET, C# .NET, ADO.NET,
ASP.NET, XML, XML Web
> Services,.NET Remoting
> Cc: a...yahoo.com
> Subject: [DotNetDevelopment] Novice - Not sure where to
start with
> coding question
>
> I know what I want to do in Laymen's terms, but not
sure where to get
> started to even learn what I want to do
>
> I have a text box in a Search screen, where users will
input a last
> name.  Once that last name is entered and the Search
button is
> pressed, the last name is added to the Response URL,
which then will
> take that last name, assign it to a variable, and
eventually use it in
> the Query that is built against the Database where that
account is
> located.
>
> To complicate matters, my client now wants to be able
to put multiple
> last names in the search box, and have that pass
through as an "OR'
> Query.. i.e lastname Jones, or Smith.. in addition to
the other search
> criteria selected.
>
> As it is currently set up, if you put in multiple last
names, you get
> an error because the text box is setup to look for one
continous
> string, thus if you put in two last names, one last
name follwed by
> hitting the enter key, and on the next line another
last name, it
> comes through the code as such:
>         "Smith Washington" with two special
looking characters(that look
> like
> hollow squares) in between Smith and Washington to
denote the Enter
> key being hit (I presume).
>
> The error reads as follows:
> Redirect URI cannot contain newline characters.
> Description: An unhandled exception occurred during the
execution of
> the current web request. Please review the stack trace
for more
> information about the error and where it originated in
the code.
>
> Exception Details: System.ArgumentException: Redirect
URI cannot
> contain newline characters.
>
> Source Error:
>
> Line 171:
> Line 172:                sURL =
"Students.aspx?" & sURL
> Line 173:                Response.Redirect(sURL)
> Line 174:                End If
> Line 175:        End If
>
> So in my limited understanding, I was thinking that if
I could make
> the textbox an Array, so that whatever names they put
in there,
> separated by some sort of delineator, then the Array
could be used
> later to dump the names into the Sql query using the
"OR" option
>
> Any ideas, anyone- Hide quoted text -
>
> - Show quoted text -


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "DotNetDevelopment, VB.NET, C# .NET,
ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting"
group.
To post to this group, send email to DotNetDevelopmentgooglegroups.com
To unsubscribe from this group, send email to
DotNetDevelopment-unsubscribegooglegroups.com
For more options, visit this group at
http:
//cm.megasolutions.net/forums/default.aspx
-~----------~----~----~----~------~----~------~--~---

you are hitting a logical wall. Based on your own statements
you are
trying to look "a last name" and are putting two
names in the search
box. Try physically putting two people in one seat. It just
doesn't
work.

I agree with Peter Bradley. Get a specific Statement of
Requirements.
Without it, your client may constantly change his/her
requirements.
Programming is abstract. Treat the high level of abstraction
with
respect and you and your client will be happy.

Try doing a few truth tables/tautalogies to determine the
soundness of
any logic involved in your project.

Use Venn diagrams to organize concepts and to see where
elements
intersect.

Hire me as your consultant for a mere $2000 a day.


On Feb 16, 2:58 am, "Bradley, Peter"
<pbrad...uwic.ac.uk> wrote:
> If I understand you correctly, and you are building an
SQL query in this
> way, then all I can say is, "Don't do it". 
You are just begging for SQL
> injection attacks, for one thing.
>
> My own opinion is that you need to sort out the
security aspects before
> you sort out the UI: and before you do either, you need
to sit down with
> your client and agree a Statement of Requirements. 
Good software cannot
> be writen on-the-fly.
>
> Sorry to be negative, but you've a lot to sort out here
if you want to
> supply software that is anything like decent.
>
> Peter
>
>
>
> -----Original Message-----
> From: DotNetDevelopmentgooglegroups.com
>
> [mailtootNetDev
elopmentgooglegroups.com] On Behalf Of BookerT
> Sent: 15 February 2007 19:31
> To: DotNetDevelopment, VB.NET, C# .NET, ADO.NET,
ASP.NET, XML, XML Web
> Services,.NET Remoting
> Cc: a...yahoo.com
> Subject: [DotNetDevelopment] Novice - Not sure where to
start with
> coding question
>
> I know what I want to do in Laymen's terms, but not
sure where to get
> started to even learn what I want to do
>
> I have a text box in a Search screen, where users will
input a last
> name.  Once that last name is entered and the Search
button is
> pressed, the last name is added to the Response URL,
which then will
> take that last name, assign it to a variable, and
eventually use it in
> the Query that is built against the Database where that
account is
> located.
>
> To complicate matters, my client now wants to be able
to put multiple
> last names in the search box, and have that pass
through as an "OR'
> Query.. i.e lastname Jones, or Smith.. in addition to
the other search
> criteria selected.
>
> As it is currently set up, if you put in multiple last
names, you get
> an error because the text box is setup to look for one
continous
> string, thus if you put in two last names, one last
name follwed by
> hitting the enter key, and on the next line another
last name, it
> comes through the code as such:
>         "Smith Washington" with two special
looking characters(that look
> like
> hollow squares) in between Smith and Washington to
denote the Enter
> key being hit (I presume).
>
> The error reads as follows:
> Redirect URI cannot contain newline characters.
> Description: An unhandled exception occurred during the
execution of
> the current web request. Please review the stack trace
for more
> information about the error and where it originated in
the code.
>
> Exception Details: System.ArgumentException: Redirect
URI cannot
> contain newline characters.
>
> Source Error:
>
> Line 171:
> Line 172:                sURL =
"Students.aspx?" & sURL
> Line 173:                Response.Redirect(sURL)
> Line 174:                End If
> Line 175:        End If
>
> So in my limited understanding, I was thinking that if
I could make
> the textbox an Array, so that whatever names they put
in there,
> separated by some sort of delineator, then the Array
could be used
> later to dump the names into the Sql query using the
"OR" option
>
> Any ideas, anyone- Hide quoted text -
>
> - Show quoted text -


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "DotNetDevelopment, VB.NET, C# .NET,
ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting"
group.
To post to this group, send email to DotNetDevelopmentgooglegroups.com
To unsubscribe from this group, send email to
DotNetDevelopment-unsubscribegooglegroups.com
For more options, visit this group at
http:
//cm.megasolutions.net/forums/default.aspx
-~----------~----~----~----~------~----~------~--~---

You still use an SQL query... but before you fill in the
WHERE places
in the query, you need to do a few things :

1. Clean your input. Remove all illegal chars, single quotes
etc.
2. Validate your input. Test if the input confirms to the
required
type/format as per requirement.
3. Use Parameters with stored procedures instead of ad hoc
SQL
queries.

Enough about SQL Injection though.

Regarding your current problem, you will need to parse the
string in
the textbox and set it to an acceptable format before you
pass it as a
Querystring. IMO, you should be able to split it using
Chr(13) as a
delimiter.


On Feb 17, 2:20 am, "BookerT" <c...ascac.org> wrote:
> I am reading up on SQL injection attacks.  Thanks for
the heads up.  I
> would like to try an attack to see if it is possible. 
The Code does
> build SQL queries in various places, is that bad in
general?  how else
> does one pull data from a database without a SQL
query.
> Currently, you have to have a valid user name and
password, and be a
> part of a particualr group in order to access the web
front end, and
> there is no outside access to the database from any
other
> application...
>
> We shall see
>
> Thanks
>
> On Feb 16, 2:58 am, "Bradley, Peter"
<pbrad...uwic.ac.uk> wrote:
>
>
>
> > If I understand you correctly, and you are
building an SQL query in this
> > way, then all I can say is, "Don't do
it".  You are just begging for SQL
> > injection attacks, for one thing.
>
> > My own opinion is that you need to sort out the
security aspects before
> > you sort out the UI: and before you do either, you
need to sit down with
> > your client and agree a Statement of Requirements.
 Good software cannot
> > be writen on-the-fly.
>
> > Sorry to be negative, but you've a lot to sort out
here if you want to
> > supply software that is anything like decent.
>
> > Peter
>
> > -----Original Message-----
> > From: DotNetDevelopmentgooglegroups.com
>
> > [mailtootNetDev
elopmentgooglegroups.com] On Behalf Of BookerT
> > Sent: 15 February 2007 19:31
> > To: DotNetDevelopment, VB.NET, C# .NET, ADO.NET,
ASP.NET, XML, XML Web
> > Services,.NET Remoting
> > Cc: a...yahoo.com
> > Subject: [DotNetDevelopment] Novice - Not sure
where to start with
> > coding question
>
> > I know what I want to do in Laymen's terms, but
not sure where to get
> > started to even learn what I want to do
>
> > I have a text box in a Search screen, where users
will input a last
> > name.  Once that last name is entered and the
Search button is
> > pressed, the last name is added to the Response
URL, which then will
> > take that last name, assign it to a variable, and
eventually use it in
> > the Query that is built against the Database where
that account is
> > located.
>
> > To complicate matters, my client now wants to be
able to put multiple
> > last names in the search box, and have that pass
through as an "OR'
> > Query.. i.e lastname Jones, or Smith.. in addition
to the other search
> > criteria selected.
>
> > As it is currently set up, if you put in multiple
last names, you get
> > an error because the text box is setup to look for
one continous
> > string, thus if you put in two last names, one
last name follwed by
> > hitting the enter key, and on the next line
another last name, it
> > comes through the code as such:
> >         "Smith Washington" with two
special looking characters(that look
> > like
> > hollow squares) in between Smith and Washington to
denote the Enter
> > key being hit (I presume).
>
> > The error reads as follows:
> > Redirect URI cannot contain newline characters.
> > Description: An unhandled exception occurred
during the execution of
> > the current web request. Please review the stack
trace for more
> > information about the error and where it
originated in the code.
>
> > Exception Details: System.ArgumentException:
Redirect URI cannot
> > contain newline characters.
>
> > Source Error:
>
> > Line 171:
> > Line 172:                sURL =
"Students.aspx?" & sURL
> > Line 173:                Response.Redirect(sURL)
> > Line 174:                End If
> > Line 175:        End If
>
> > So in my limited understanding, I was thinking
that if I could make
> > the textbox an Array, so that whatever names they
put in there,
> > separated by some sort of delineator, then the
Array could be used
> > later to dump the names into the Sql query using
the "OR" option
>
> > Any ideas, anyone- Hide quoted text -
>
> > - Show quoted text -- Hide quoted text -
>
> - Show quoted text -


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "DotNetDevelopment, VB.NET, C# .NET,
ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting"
group.
To post to this group, send email to DotNetDevelopmentgooglegroups.com
To unsubscribe from this group, send email to
DotNetDevelopment-unsubscribegooglegroups.com
For more options, visit this group at
http:
//cm.megasolutions.net/forums/default.aspx
-~----------~----~----~----~------~----~------~--~---

I tried the following "sample injection attack, by
putting ' Or 1=1 --
in one of the text boxes....
as I pass through the code, it sends the following string to
the
server

		"SELECT COUNT(*) AS iCnt FROM Pupils  WHERE 
UPPER(Lname) LIKE '''
OR 1=1 --%'  "

So based on that "one type" of attack, it does not
look like my code
appends any SQL statements to the current SQL, because it
passes what
you type in as a literal string....

Am i missing something?






On Feb 16, 2:58 am, "Bradley, Peter"
<pbrad...uwic.ac.uk> wrote:
> If I understand you correctly, and you are building an
SQL query in this
> way, then all I can say is, "Don't do it". 
You are just begging for SQL
> injection attacks, for one thing.
>
> My own opinion is that you need to sort out the
security aspects before
> you sort out the UI: and before you do either, you need
to sit down with
> your client and agree a Statement of Requirements. 
Good software cannot
> be writen on-the-fly.
>
> Sorry to be negative, but you've a lot to sort out here
if you want to
> supply software that is anything like decent.
>
> Peter
>
> -----Original Message-----
> From: DotNetDevelopmentgooglegroups.com
>
> [mailtootNetDev
elopmentgooglegroups.com] On Behalf OfBookerT
> Sent: 15 February 2007 19:31
> To: DotNetDevelopment, VB.NET, C# .NET, ADO.NET,
ASP.NET, XML, XML Web
> Services,.NET Remoting
> Cc: a...yahoo.com
> Subject: [DotNetDevelopment] Novice - Not sure where to
start with
> coding question
>
> I know what I want to do in Laymen's terms, but not
sure where to get
> started to even learn what I want to do
>
> I have a text box in a Search screen, where users will
input a last
> name.  Once that last name is entered and the Search
button is
> pressed, the last name is added to the Response URL,
which then will
> take that last name, assign it to a variable, and
eventually use it in
> the Query that is built against the Database where that
account is
> located.
>
> To complicate matters, my client now wants to be able
to put multiple
> last names in the search box, and have that pass
through as an "OR'
> Query.. i.e lastname Jones, or Smith.. in addition to
the other search
> criteria selected.
>
> As it is currently set up, if you put in multiple last
names, you get
> an error because the text box is setup to look for one
continous
> string, thus if you put in two last names, one last
name follwed by
> hitting the enter key, and on the next line another
last name, it
> comes through the code as such:
>         "Smith Washington" with two special
looking characters(that look
> like
> hollow squares) in between Smith and Washington to
denote the Enter
> key being hit (I presume).
>
> The error reads as follows:
> Redirect URI cannot contain newline characters.
> Description: An unhandled exception occurred during the
execution of
> the current web request. Please review the stack trace
for more
> information about the error and where it originated in
the code.
>
> Exception Details: System.ArgumentException: Redirect
URI cannot
> contain newline characters.
>
> Source Error:
>
> Line 171:
> Line 172:                sURL =
"Students.aspx?" & sURL
> Line 173:                Response.Redirect(sURL)
> Line 174:                End If
> Line 175:        End If
>
> So in my limited understanding, I was thinking that if
I could make
> the textbox an Array, so that whatever names they put
in there,
> separated by some sort of delineator, then the Array
could be used
> later to dump the names into the Sql query using the
"OR" option
>
> Any ideas, anyone


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the
Google Groups "DotNetDevelopment, VB.NET, C# .NET,
ADO.NET, ASP.NET, XML, XML Web Services,.NET Remoting"
group.
To post to this group, send email to DotNetDevelopmentgooglegroups.com
To unsubscribe from this group, send email to
DotNetDevelopment-unsubscribegooglegroups.com
For more options, visit this group at
http:
//cm.megasolutions.net/forums/default.aspx
-~----------~----~----~----~------~----~------~--~---