Glisho running...
Истрчано има: 3040 m.
Using stored procedures does not necessarily prevent SQL injection. The important thing to do is use parameters with stored procedures. If you do not use parameters, your stored procedures can be susceptible to SQL injection if they use unfiltered input as described in the "Overview" section of this document.
The following code shows how to use SqlParameterCollection when calling a stored procedure.
- Use Parameters with Dynamic SQLusing System.Data;
using System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(
"LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myCommand.Fill(userDataset);
}
using System.Data;- Additional Considerations
using System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myDataAdapter = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",
connection);
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myDataAdapter.Fill(userDataset);
}
Other things to consider when you develop countermeasures to prevent SQL injection include:
In situations where parameterized SQL cannot be used and you are forced to use dynamic SQL instead, you need to safeguard against input characters that have special meaning to SQL Server (such as the single quote character). If not handled, special characters such as the single quote character in the input can be utilized to cause SQL injection.
Note Special input characters pose a threat only with dynamic SQL and not when using parameterized SQL.
Escape routines add an escape character to characters that have special meaning to SQL Server, thereby making them harmless. This is illustrated in the following code fragment:
private string SafeSqlLiteral(string inputSQL)
{
return inputSQL.Replace("'", "''");}
Block selection can be used to select any amount of text in a block, as opposed to line by line. You can use block selection whether you select text with the mouse or the keyboard (hold down Alt and Shift, and press the arrow keys to perform a block selection with the keyboard).
When pasting block selections, Visual Studio will insert each line of the block onto a subsequent existing line, unlike normal selections where new lines will be inserted. Thus, it is important to be sure that the destination for your block selection is the same number of lines as the source.
There are quite a few ways to specify line breaks: ControlChars.NewLine, Environment.NewLine, Char(13), and depending on your language, vbCrLf, \n, and \r\n. Most of these accomplish the same thing: insert the special ASCII characters CR (carriage return), LF (line feed), or both.
The recommended way of adding line breaks is with Environment.NewLine. Unlike the other methods, this will insert the appropriate ASCII representation of a line break: an LF for Unix, a CR for Apple, and a combination of the two for Windows.
However, practicality often supersedes portability, and for most cases, escaped carriage returns (i.e., \r and \n) are the absolute simplest to use. SmartPaster allows you to easily configure which option to use.
The first, and most useful, IntelliSense feature is actually just a shortcut: Ctrl-Space (Edit.CompleteWord). By using the Ctrl-Space shortcut, you can summon IntelliSense at any point during your coding session, not just when you finish typing a class name. This is one of the few shortcuts that can really change the way that you write code.
If you have already starting typing when you press Ctrl-Space, Visual Studio will take one of two actions. If there is only one object that matches what you have typed in so far, it will automatically complete the object name; for instance, if you typed in HttpR, it would automatically complete the rest of the object name (HttpRequest). If there are a number of objects that match what you have typed in, it will display the full list of members with the first match highlighted.
Another useful form of IntelliSense is the parameter information that is shown after you type the opening parenthesis of a method (it goes away when the parentheses are closed). When editing an already existing method, it would be nice to have this information again without having to delete and then reenter the opening parenthesis, wouldn't it? As long as the cursor is located inside of the method parameters parenthesis, pressing Ctrl-Shift-Space (Edit.ParameterInfo) will display the parameter information pop up.
When you move your mouse over a method or variable, you will see a small tool tip pop up that contains information about that method or variable. This is commonly called Quick Info. If you are navigating by keyboard, you can also get this small pop up by pressing Ctrl-K and then Ctrl-I (Edit.QuickInfo). Using this shortcut is also the only way to bring up this informational pop up during debug, since the default behavior is to show the value of the object you are hovering over when using the mouse.
Adding guidelines:
Close Visual Studio.
Open regedit (Start -> Run -> type regedit).
Navigate to HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\<7.1>\Text Editor.
Right-click on the Text Editor key and choose New -> String Value and name it "Guides".
Set the value of the guides to RGB(128, 128, 128) 4, 16.
The first part of the value sets the color of the guidelines using common red, green, and blue values. 128, 128, and 128 sets the color of the guidelines to gray. The second numbers specify where the guidelines should appear. In this example, guidelines will be shown at the 4-space mark as well as the 16-space mark. You can add up to 13 different guidelines by simply adding more numeric values separated by commas.
After you have created your registry entry, you will see guidelines in the marks specified when you launch Visual Studio.
Well first i just want to say hello to all the people
that will visit and support me to continue with
my programming work and sharing experience.
I will try to manage post so both the bold one’s and
pro will understand what i will be writing about.
Thanks in forward,
Marjan Nikolovski