|
Abhipal Singh wrote: If !string.IsNullOrEmpty(...
VB.NET uses Not , not ! , for logical negation.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Thanks for correcting me Richard!
I generally work on C# so, not aware of exact VB syntax
Also, you raised a good point about MessageBox, that it will get displayed on server side.
I suggest, we can use javascript alerts instead of message box.
|
|
|
|
|
MsgBox isn't going to work in an ASP.NET application. The message will be displayed on the server, not the client.
It might appear to work when you debug your code in Visual Studio, but that's only because the server and the client are the same machine in that specific scenario.
As soon as you deploy your code to a real server, it will either crash, or hang waiting for someone to acknowledge the message on the server, where nobody will ever see it.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
i want to know code of login page with database
|
|
|
|
|
If you do a Google search you will find many suggested solutions.
|
|
|
|
|
We can't just give you everything. But essentially you need a form for the user to enter their information. Then send that info to SQL and verify it.
Look into Forms Authentication too, https://msdn.microsoft.com/en-us/library/7t6b43z4(v=vs.140).aspx[^]
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
|
Bad example:
- Passwords are stored as plain text:
You should only ever store a salted hash of the password.
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^] - Connecting to the database as "
sa ":
This will give an attacker complete control over your SQL instance, and potentially the server as well.
You should only ever connect using a specific account which has the least permissions required to run your application. - Disposable objects not in "
using " blocks:
In the event of an exception, the SqlConnection and SqlCommand objects might not be cleaned up properly.
All objects which implement IDisposable (and don't escape the current method) should be wrapped in a using block.
On the plus side, the code is using properly parametized queries, so it isn't vulnerable to SQL Injection.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
|
Bad example:
- Passwords are stored as plain text:
You should only ever store a salted hash of the password.
Secure Password Authentication Explained Simply[^]
Salted Password Hashing - Doing it Right[^] - Disposable objects not in "
using " blocks:
In the event of an exception, the SqlConnection and SqlCommand objects might not be cleaned up properly.
All objects which implement IDisposable (and don't escape the current method) should be wrapped in a using block.
On the plus side, the code is using properly parametized queries, so it isn't vulnerable to SQL Injection.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Since you're starting from scratch, it's probably best to start with ASP.NET Identity[^]. That framework takes care of a lot of the work for you, and gives you a properly secured application.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
|
Do you have a question?
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Message Closed
modified 18-Jun-15 20:48pm.
|
|
|
|
|
|
I have been searching the internet for over an hour and can only find client side discussions the my latest scan finding. What I am receiving is method that uses the Read() method and because the Read() ignores the value returned could cause the program to overlook unexpected states and conditions finding. If anyone can explain, in small detail, and possibility recommend a fix the would be great. The function is below:
Offending line of code in the method:
csEncrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
Calling method:
public String DecryptMessage(byte[] encrypted)
{
ASCIIEncoding textConverter = new ASCIIEncoding();
decryptor = aes.CreateDecryptor(key, IV);
MemoryStream msDecrypt = new MemoryStream(encrypted);
csEncrypt = new CryptoStream(msDecrypt, decryptor, CryptoStreamMode.Read);
byte[] fromEncrypt = new byte[encrypted.Length];
csEncrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
return textConverter.GetString(fromEncrypt);
}
<pre>
|
|
|
|
|
The Read method returns the number of bytes read, which could be less than the count parameter you passed in.
You need to capture the returned value, and pass it to the GetString method:
int bytesRead = csEncrypt.Read(fromEncrypt, 0, fromEncrypt.Length);
return textConverter.GetString(fromEncrypt, 0, bytesRead);
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Use using-blocks for every object that implements IDisposable. Not doing that can have all sorts of strange effects.
And don't declare variables as class members if you're using them only locally, they don't need to retain state and they're not expensive to create ("aes", "decryptor", "csEncrypt").
public String DecryptMessage(byte[] encrypted)
{
using (var aes = new AesManaged())
using (var decryptor = aes.CreateDecryptor(key, IV))
using (var ms = new MemoryStream(encrypted))
using (var cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read))
{
byte[] decrypted = new byte[encrypted.Length];
int bytesRead = cs.Read(decrypted, 0, decrypted.Length);
return Encoding.ASCII.GetString(decrypted, 0, bytesRead);
}
}
If the brain were so simple we could understand it, we would be so simple we couldn't. — Lyall Watson
|
|
|
|
|
Message Closed
modified 18-Jun-15 20:56pm.
|
|
|
|
|
If the return value is a byte[] - which isn't the case in the code you posted! - then you need to change the code to:
public byte[] DecryptMessage(byte[] encrypted)
{
using (var aes = new AesManaged())
using (var decryptor = aes.CreateDecryptor(key, IV))
using (var ms = new MemoryStream(encrypted))
using (var cs = new CryptoStream(ms, decryptor, CryptoStreamMode.Read))
{
byte[] decrypted = new byte[encrypted.Length];
int bytesRead = cs.Read(decrypted, 0, decrypted.Length);
if (bytesRead != decrypted.Length)
{
Array.Resize(ref decrypted, bytesRead);
}
return decrypted;
}
}
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
I have run into an issue that when my web application's web.config compilation debug is set to true I am getting a vulnerability error on a security scan.
<compilation debug="true" targetFramework="4.0">
What I want to determine is if there is a way to have some type of web.config conditional block change the debug setting to use the correct value on debug builds and release builds. I have read that setting the property in each web page itself will do this and don't know if this is in fact true and are there any problems with this?
|
|
|
|
|
|
I have a scan finding and hope someone can provide any ideas as to best ways to resolve the issue. First I will show the scan Finding then my code and finally what the scanner's recommended solution is.
Finding
Without proper access control, the method GetAttributeKey() in Provider.cs can execute a SQL statement on line 163 that contains an attacker-controlled primary key, thereby allowing the attacker to access unauthorized records.
Rather than relying on the presentation layer to restrict values submitted by the user, access control should be handled by the application and database layers. Under no circumstances should a user be allowed to retrieve or modify a row in the database without the appropriate permissions. Every query that accesses the database should enforce this policy, which can often be accomplished by simply including the current authenticated username as part of the query.
My Code:
Offending line:
myParam.SqlParam.Value = attribute;
Method:
public string GetAttributeKey(string attribute)
{
string qry = "SELECT ws_attribute_key FROM webservice_attributes WHERE ws_attribute = @attribute";
QueryContainer Instance = new QueryContainer(qry);
MyParam myParam = new MyParam();
myParam.SqlParam = new SqlParameter("@attribute", Instance.AddParameterType(_DbTypes._string));
myParam.SqlParam.Value = attribute;
Instance.parameterList.Add(myParam);
object key = ExecuteScaler(Instance);
return Convert.ToString(key);
}
<pre>
Scanner's Recommend fix:
<pre>
string user = ctx.getAuthenticatedUserName();
int16 id = System.Convert.ToInt16(invoiceID.Text);
SqlCommand query = new SqlCommand(
"SELECT * FROM invoices WHERE id = <a href="http://www.codeproject.com/Members/id">@id</a> AND user = <a href="http://www.codeproject.com/Members/user">@user</a>", conn);
query.Parameters.AddWithValue("@id", id);
query.Parameters.AddWithValue("@user", user);
SqlDataReader objReader = query.ExecuteReader();
<pre>
modified 8-Jun-15 14:07pm.
|
|
|
|
|
Message Closed
modified 18-Jun-15 20:52pm.
|
|
|
|
|
This finding was determined to be changed to a mitigated warning and was remove as a valid finding. Showing that he caller needs rights to call the method when they are logged into the system is a false finding.
|
|
|
|