[thelist] simple asp.net question

Ken Schaefer Ken at adOpenStatic.com
Thu Aug 2 22:18:25 CDT 2007 

Hi,

Here are three examples I found googling "ASP.NET parameterized queries Access"

http://aspnet101.com/aspnet101/tutorials.aspx?id=1
http://www.mikesdotnetting.com/Article.aspx?ArticleID=26
http://www.4guysfromrolla.com/webtech/092601-1.2.shtml

There appears to be a few more good ones on the first 10 results.

To be honest - I would strongly recommend you go and buy Stephen Walther's "ASP.NET Unleashed" book (there are versions for v1.1, and v2.0/3.0) if you are just starting out with ASP.NET. It covers an enormous amount of information across just about everything you will touch when starting off with ASP.NET.

If you have a bookstore within 5-10 minutes drive, then the 20 minute investment that you'll make in getting that book will repay itself in a week.

Cheers
Ken


-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Coulson
Sent: Friday, 3 August 2007 12:47 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] simple asp.net question

Okay, okay.  I'm pretty sure the only people inside the building who even know what SQL is are honest enough not to try exploiting a weakness in my code, but your concerns are valid.  I'm just being lazy.  I suppose I'd rather make it secure now and not have to do anything but move it from one server to the next when we start putting the intranet on the web server.

Would you please take a moment to show me how that is done?  If it's not clear, I don't know a whole lot about .Net; however, it's my only programming option at work!

Thanks!

Jeremy

-----Original Message-----
From: Ken Schaefer <Ken at adOpenStatic.com>
To: "thelist at lists.evolt.org" <thelist at lists.evolt.org>
Date: Fri, 3 Aug 2007 12:10:53 +1000
Subject: Re: [thelist] simple asp.net question

You think that only random people out on the internet are ever interested in getting access to more than they should?

You are going around this completely the wrong way. Retrofitting your code later on is going to be a far more expensive undertaking than just doing it the safe way now.

You'd need to change about 4-5 lines of code, and use named parameters instead of sticking literal strings into your SQL statement, and you'd make your entire page immune to SQL Injection attacks.

Cheers
Ken

-----Original Message-----
From: thelist-bounces at lists.evolt.org [mailto:thelist-bounces at lists.evolt.org] On Behalf Of Jeremy Coulson
Sent: Thursday, 2 August 2007 9:39 PM
To: thelist at lists.evolt.org
Subject: Re: [thelist] simple asp.net question

Extension changed.

I'm not so worried about that security right now since our intranet is not
available to the outside world.  If I get this version working, I'll beef up
the security later when we move our intranet to our web server.  That,
however, is many months off and they desire the phone list searching ability
ASAP.

Jeremy Coulson
PC Technician/Webmaster, Frederick County
(540) 722-8211
jcoulson at co.frederick.va.us


-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Ken Schaefer
Sent: Thursday, August 02, 2007 7:02 AM
To: thelist at lists.evolt.org
Subject: Re: [thelist] simple asp.net question

The code could not be downloaded - it's trying to be executed by the server.
You'd need to change the extension to something like .txt (that's handled by
the static file handler in IIS)

Secondly, that SQL statement is vulnerable to SQL injection. Use parameters.

Cheers
Ken

-----Original Message-----
From: thelist-bounces at lists.evolt.org
[mailto:thelist-bounces at lists.evolt.org] On Behalf Of Jeremy Coulson
Sent: Thursday, 2 August 2007 1:55 PM
To: thelist at lists.evolt.org
Subject: [thelist] simple asp.net question

I'm 100% certain I'm missing something really simple on this search I've
been trying to build for our phone directory on our intranet.  Everything is
working correctly except one thing.  When a user enters a search that
returns no result, a label tells the user there were no results.
Unfortunately, the program never makes it to the second half of the
conditional statement and all searches - even successful ones - return the
same message.



You can see the whole code (there's not much!) at
http://www.co.frederick.va.us/coulson/phoneExtensions.aspx (but you have to
download it because that server is running an older framework that doesn't
know gridview).  This is the specific function that is not working:



---------------------->



    Sub nameHandler(ByVal sender As Object, ByVal e As EventArgs)

        If strSearch.Text = "" Then

            lbl1.Text = "<br /><font color='red'>Please enter a search term
in the box above!</font>"

        Else

            AccessDataSource1.SelectCommand = "SELECT [lastName],
[firstName], [dept], [ext], [email] FROM [tblPhones] WHERE [lastName] = '" +
strSearch.Text + "' OR [firstName] = '" + strSearch.Text + "' ORDER BY
[dept], [lastName]"

            If GridView1.Rows.Count = 0 Then

                lbl1.Text = "<br />Your search for " & strSearch.Text & "
found no results."

            Else

                lbl1.Text = "<br />Search string: " & strSearch.Text & "."

            End If

        End If

    End Sub



---------------------->

 Why does it never get to the Else half of that If?  I'm thinking this is
either a failure of my ability to nest conditional statements, a failure of
my logic, or a failure of my understanding of GridView.Rows.Count.  I've
been beating this dead horse for three hours now and I'm going to bed.
Hopefully I will find a solution tomorrow.  If you know it, feel free to
share!  Thanks!

More information about the thelist mailing list