|
Message Closed
modified 18-Jun-15 21:06pm.
|
|
|
|
|
|
boolean is bit
what data types are you looking for?
|
|
|
|
|
This is what I was looking for:
public static Type GetClrType(SqlDbType sqlType)
{
switch (sqlType)
{
case SqlDbType.BigInt:
return typeof(long?);
case SqlDbType.Binary:
case SqlDbType.Image:
case SqlDbType.Timestamp:
case SqlDbType.VarBinary:
return typeof(byte[]);
case SqlDbType.Bit:
return typeof(bool?);
case SqlDbType.Char:
case SqlDbType.NChar:
case SqlDbType.NText:
case SqlDbType.NVarChar:
case SqlDbType.Text:
case SqlDbType.VarChar:
case SqlDbType.Xml:
return typeof(string);
case SqlDbType.DateTime:
case SqlDbType.SmallDateTime:
case SqlDbType.Date:
case SqlDbType.Time:
case SqlDbType.DateTime2:
return typeof(DateTime?);
case SqlDbType.Decimal:
case SqlDbType.Money:
case SqlDbType.SmallMoney:
return typeof(decimal?);
case SqlDbType.Float:
return typeof(double?);
case SqlDbType.Int:
return typeof(int?);
case SqlDbType.Real:
return typeof(float?);
case SqlDbType.UniqueIdentifier:
return typeof(Guid?);
case SqlDbType.SmallInt:
return typeof(short?);
case SqlDbType.TinyInt:
return typeof(byte?);
case SqlDbType.Variant:
case SqlDbType.Udt:
return typeof(object);
case SqlDbType.Structured:
return typeof(DataTable);
case SqlDbType.DateTimeOffset:
return typeof(DateTimeOffset?);
default:
throw new ArgumentOutOfRangeException("sqlType");
}
}<pre>
|
|
|
|
|
Why would you want to write a function like that?
I think in the long run, the function will cause more problems than it will solve.
But that's just my opinion.
|
|
|
|
|
Dear friends,
I have planned to develop price comparison website like http://www.mysmartprice.com/mobile/apple-iphone-6-msp4340.
can you please list out here what are the steps and procedure should i follow to develop in that website?. I want to show selected product... other websites price,offer...etc to my website like that website.
|
|
|
|
|
|
I have a console application that self hosts a signalr hub also I have a web client hosted from my IIS server.It works on my local computer and I can open many browsers and send info between them the issue is I see the web client from other computers but the signalr portion is not updating. I believe the issues is how to call the Hub from the remote computer I use IpAdress:port also tried localhost:port but neither work. Any suggestions on self hosting signalr.
|
|
|
|
|
My requirement is to display thumbnail images on to my MVC view. What I am doing here is to convert image to byte array and convert them to base64 string and send this string back to JavaScript.
In JavaScript, I am assigning this base64 string to src attribute of image tag as below
$(img).attr("src", "data:image/png;base64," + data);
This process happened continuously 10 times in a for loop as I need to display 10 images in a page.
When I run this, I am getting half image in IE and showing nothing in Firefox. When I went into fire-fox console I am getting "Image is corrupted or truncated" exception and not sure what it is.
Could anyone throw some light on this issue?
If source code need for any of the said one, please let me know
|
|
|
|
|
Do not re post the same question[^] in different forums. Chose proper forum and post your question there.
The sh*t I complain about
It's like there ain't a cloud in the sky and it's raining out - Eminem
~! Firewall !~
|
|
|
|
|
Hi All,
I got my organizations web site url and account user name and password for Godaddy, I could able to open the file manager and see the source files there, but to make changes in the web site I want to download the source files and run and see how it is working. I was not given the source application, but the source files are there in the web site at Godaddy luckily.
This is a pretty new organization, so they are not familiar with keeping source application it seems, what I want is I want to download those source files of Database and ASP.Net there on the GoDaddy and make it as an application and then make changes to it before uploading back on to Godaddy, please advise me regarding it, if I am not going in correct direction, I am new to this hosting and uploading.
But when I open the file manager on GoDaddy I am only seeing upload link but not seeing the download link even after selecting the folders, I didn't select file because downloading each file and then managing it in application is little difficult. So I am checking the check box for the folder to download but no luck, please help me with this.
Please any help, suggestion or code snippet of example helps me a lot I am also searching on google how to do it. Thanks in advance.
Thanks,
Abdul Aleem
"There is already enough hatred in the world lets spread love, compassion and affection."
|
|
|
|
|
Connect via FTP using an FTP client and you can download whatever is there. Consult your account on godaddy to find out the host name and credentials. Note that if the site is asp.net and has been compiled you won't easily be able to make changes and recompile as the source files won't be there, the code is in assemblies (dll files). You'd need to decompile them using something like ilspy.
|
|
|
|
|
Hi,
Thank you very much Luckily the aspx.vb files are there in the web site.
Thanks,
Abdul Aleem
"There is already enough hatred in the world lets spread love, compassion and affection."
|
|
|
|
|
Message Closed
modified 16-May-15 21:54pm.
|
|
|
|
|
I have a static class that needs to pass a generic List of strings to a function using an integer as a index to the List in the class. The problem is the static class doesn't have a List collect and I don't have a proper index to access the class in the function it is passed to. The class, the calling code, and the receiving function are below.
My Class:
public class QueryContainer
{
public static QueryContainer Instance = new QueryContainer();
private int _id;
private string _query = "";
private int _searchID;
public QueryContainer() { }
public string Query
{
get
{
if (Instance != null)
return Instance._query;
else
return "";
}
set { _query = value; _id =+ 1; }
}
public int ID { get { return _id; } }
public int SearchID
{
set { _searchID = value; }
get { return _searchID; }
}
}
The calling code:
public int GetAccountSortByAccountCode(int account)
{
int Id = 0;
QueryContainer.Instance.Query = "SELECT ac_sort_order FROM lkup_account_codes where ac_code = " + account.ToString();
return Convert.ToInt32(ExecuteScaler(Id));
}
The function that the static class is passed to:
public int GetAccountSortByAccountCode(int account)
{
int Id = 0;
QueryContainer.Instance.Query = "SELECT ac_sort_order FROM lkup_account_codes where ac_code = " + account.ToString();
return Convert.ToInt32(ExecuteScaler(Id));
}
Corrected <pre> tags to recognise C#, terminators, and indentation.
modified 15-May-15 11:19am.
|
|
|
|
|
Please use <pre> tags around your code, so it is more readable. Also, is this an ASP.NET issue?
|
|
|
|
|
As Sascha told you two days ago[^], that class does not resolve your SQL Injection[^] vulnerabilities.
Rather than wasting time trying to fix this class, concentrate on fixing the calling code. You can either do that by writing raw ADO.NET code using properly parameterized queries; or you can use something like Dapper[^]; or switch to one of the many available .NET ORM solutions.
Correct ADO.NET code would look something like this:
public int GetAccountSortByAccountCode(int account)
{
using (var connection = new SqlConnection("YOUR CONNECTION STRING"))
using (var command = new SqlCommand("SELECT ac_sort_order FROM lkup_account_codes where ac_code = @account", connection))
{
command.Parameters.AddWithValue("@account", account);
connection.Open();
return Convert.ToInt32(command.ExecuteScalar());
}
}
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
The problem is that I don't know what the Hard coded SQL expression is. All I am trying to do it run that hard coded statement without breaking out the statement's parameters. If this wont work is that way to pass a generic list of parameter strings and use a foreach statement to add the parameters to the string's parameters?
|
|
|
|
|
You don't have a choice - you MUST look at every single SQL command issued by your program to "break out" the parameters. If you don't, then your code will still be vulnerable to SQL Injection.
You have a major security vulnerability in your code, and you need to fix it. There's no short-cut to doing that.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Below is the best I could come up with. Now the SQL injection error was showing up in the actual ExecuteScaler function using the SQL string being passed in as so:
The old version my code replaced: protected object ExecuteScaler(string queryString)
Now my version of the function is as so: protected Object ExecuteScaler(QueryContainer Instance)
The calling function is now converted as so:
public int GetAccountSortByAccountCode(int account)
{
QueryContainer Instance = new QueryContainer("SELECT ac_sort_order FROM lkup_account_codes where ac_code = " + account.ToString());
return Convert.ToInt32(ExecuteScaler(Instance.Query));
} <pre>
And here is my new class:
<pre>
public class QueryContainer
{
string _query;
public QueryContainer(string query) { _query = query; }
public string Query
{
get
{
return _query;
}
set { _query = value; }
}
}
<pre>
So what do you think. Does someone that I will still get SQL injection errors?
|
|
|
|
|
holdorf wrote: QueryContainer Instance = new QueryContainer("SELECT ac_sort_order FROM lkup_account_codes where ac_code = " + account.ToString());
No, no, no!!!
Your code is STILL vulnerable to SQL Injection.
You are STILL using string concatenation, rather than parameterized queries.
All you've done is store the compromised query in a field on a class, and then executed it. Like shutting the stable door after the horse has bolted, that provides precisely zero protection.
If you want to fix the SQLi vulnerability in your code, you MUST use parameterized queries. That means finding every part of your code which issues a query, and updating it to use parameters instead of string concatenation.
When you've finished, you should be able to mark all of the string variables containing your queries as const . If you can't, then you've almost certainly missed a parameter, and left your code vulnerable.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Maybe you have the completely wrong idea about what SQL-injection is.
It does not mean that your query string, after being concatenated (wrong approach) can somehow still be modified by someone and that you therefore have to "hide" it somehow (in your QueryContainer).
It means that the values you get from user input (or from somewhere else outside your controllable domain) can already contain malicious SQL-statements. And currently you blindly concatenate them into your SQL-statement.
While SQL-Parameters can not prevent that your values can contain malicious SQL-statements, they do prevent that these will be executed by your database when you're executing your SQL-statement. Because the values will be treated just as values and not potentially as SQL-statements.
If you have understood this, then you will realize that your current approach to fixing this makes no sense.
If the brain were so simple we could understand it, we would be so simple we couldn't. — Lyall Watson
|
|
|
|
|
Sascha,
Ok. I do understand. Know my problem is how do I break the strings like "delete 'Name' from table where x = 1 and y = 2" or "select * from table where x = 1 and y = 2" with the least possible work? Remember I have only one function to fix and handle this problem. My boss is upset and is giving me only a few days to fix this. Please help.
Thanks,
Steve Holdorf
modified 18-May-15 8:00am.
|
|
|
|
|
removed: was premature advice. Even a SQL-parser won't help, see Richard's reply.
If the brain were so simple we could understand it, we would be so simple we couldn't. — Lyall Watson
modified 19-May-15 15:24pm.
|
|
|
|
|
holdorf wrote: My boss is upset and is giving me only a few days to fix this. If you were the one writing the whole thing, then you should be able to modify the code that builds these sql-statements instead of replacing the literal values afterwards. If you were not the one writing the whole thing you should tell your boss that it takes more time to fix sh!t than to produce it.. maybe in other words
If the brain were so simple we could understand it, we would be so simple we couldn't. — Lyall Watson
|
|
|
|