bLogger.net

Глишо вака ли ќе слабееме :D

2008-09-18T02:23:00.001-07:00

Glisho running...

Истрчано има: 3040 m.

Thanks for Technorati

2008-06-22T07:51:00.000-07:00

... for popularising my blog, visit Technorati Profile

Avoid SQL injection

2008-06-22T06:23:00.001-07:00

The most notorious one attack, well known but still available that
i have to explain and give a good solution for avoiding and protect
from it.

SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.

Know when we define it i will propose avoid/protect ways:

- Use Parameters with Stored Procedures:

Using stored procedures does not necessarily prevent SQL injection. The important thing to do is use parameters with stored procedures. If you do not use parameters, your stored procedures can be susceptible to SQL injection if they use unfiltered input as described in the "Overview" section of this document.

The following code shows how to use SqlParameterCollection when calling a stored procedure.

using System.Data;
using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(
           "LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;

myCommand.Fill(userDataset);
}

- Use Parameters with Dynamic SQL

If you cannot use stored procedures, you should still use parameters when constructing dynamic SQL statements. The following code shows how to use SqlParametersCollection with dynamic SQL.

using System.Data;
using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myDataAdapter = new SqlDataAdapter(
       "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",
       connection);              
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myDataAdapter.Fill(userDataset);
}
- Additional Considerations

Other things to consider when you develop countermeasures to prevent SQL injection include:

Use escape routines to handle special input characters.
Use a least-privileged database account.
Avoid disclosing error information.

Use Escape Routines to Handle Special Input Characters

In situations where parameterized SQL cannot be used and you are forced to use dynamic SQL instead, you need to safeguard against input characters that have special meaning to SQL Server (such as the single quote character). If not handled, special characters such as the single quote character in the input can be utilized to cause SQL injection.

Note Special input characters pose a threat only with dynamic SQL and not when using parameterized SQL.

Escape routines add an escape character to characters that have special meaning to SQL Server, thereby making them harmless. This is illustrated in the following code fragment:

private string SafeSqlLiteral(string inputSQL)
{
return inputSQL.Replace("'", "''");

}

Mastering Visual Studio 2005 editor

2008-06-22T05:57:00.000-07:00

Block Selection

Visual Studio has a feature that allows you to get around this limitation. By holding the Alt key while selecting text, you trigger block selection, which allows you to select text regardless of what line it is on.

Block selection can be used to select any amount of text in a block, as opposed to line by line. You can use block selection whether you select text with the mouse or the keyboard (hold down Alt and Shift, and press the arrow keys to perform a block selection with the keyboard).

When pasting block selections, Visual Studio will insert each line of the block onto a subsequent existing line, unlike normal selections where new lines will be inserted. Thus, it is important to be sure that the destination for your block selection is the same number of lines as the source.

Line breaks

There are quite a few ways to specify line breaks: ControlChars.NewLine, Environment.NewLine, Char(13), and depending on your language, vbCrLf, \n, and \r\n. Most of these accomplish the same thing: insert the special ASCII characters CR (carriage return), LF (line feed), or both.

The recommended way of adding line breaks is with Environment.NewLine. Unlike the other methods, this will insert the appropriate ASCII representation of a line break: an LF for Unix, a CR for Apple, and a combination of the two for Windows.

However, practicality often supersedes portability, and for most cases, escaped carriage returns (i.e., \r and \n) are the absolute simplest to use. SmartPaster allows you to easily configure which option to use.

Complete Word

The first, and most useful, IntelliSense feature is actually just a shortcut: Ctrl-Space (Edit.CompleteWord). By using the Ctrl-Space shortcut, you can summon IntelliSense at any point during your coding session, not just when you finish typing a class name. This is one of the few shortcuts that can really change the way that you write code.

If you have already starting typing when you press Ctrl-Space, Visual Studio will take one of two actions. If there is only one object that matches what you have typed in so far, it will automatically complete the object name; for instance, if you typed in HttpR, it would automatically complete the rest of the object name (HttpRequest). If there are a number of objects that match what you have typed in, it will display the full list of members with the first match highlighted.

Parameter Info

Another useful form of IntelliSense is the parameter information that is shown after you type the opening parenthesis of a method (it goes away when the parentheses are closed). When editing an already existing method, it would be nice to have this information again without having to delete and then reenter the opening parenthesis, wouldn't it? As long as the cursor is located inside of the method parameters parenthesis, pressing Ctrl-Shift-Space (Edit.ParameterInfo) will display the parameter information pop up.

Quick Info

When you move your mouse over a method or variable, you will see a small tool tip pop up that contains information about that method or variable. This is commonly called Quick Info. If you are navigating by keyboard, you can also get this small pop up by pressing Ctrl-K and then Ctrl-I (Edit.QuickInfo). Using this shortcut is also the only way to bring up this informational pop up during debug, since the default behavior is to show the value of the object you are hovering over when using the mouse.

Adding guidelines:

Close Visual Studio.
Open regedit (Start -> Run -> type regedit).
Navigate to HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\<7.1>\Text Editor.
Right-click on the Text Editor key and choose New -> String Value and name it "Guides".
Set the value of the guides to RGB(128, 128, 128) 4, 16.

The first part of the value sets the color of the guidelines using common red, green, and blue values. 128, 128, and 128 sets the color of the guidelines to gray. The second numbers specify where the guidelines should appear. In this example, guidelines will be shown at the 4-space mark as well as the 16-space mark. You can add up to 13 different guidelines by simply adding more numeric values separated by commas.

After you have created your registry entry, you will see guidelines in the marks specified when you launch Visual Studio.

Programming IDE

2008-06-22T05:48:00.000-07:00

Most of the time i will write my proj. in Visual Studio 2005 but also i will write som code in
SharpDevelop.

Just another first post :)

2008-06-21T11:46:00.000-07:00

Well first i just want to say hello to all the people

that will visit and support me to continue with

my programming work and sharing experience.

I will try to manage post so both the bold one’s and

pro will understand what i will be writing about.

Thanks in forward,

Marjan Nikolovski