|
dev
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
help me plzplz , i have the following code , which take student id and passowrd,then check the id if it is found ,check password if it is tru, if the password and id are true,the student can log in the system, if the password if false ,he can try 3 times,if the id is not recognized,the terminal is locked for 5 minutes. when i compiled the code, the error message appered on the dr=cm.executereader i didn't know what is the problem with sql command. code ............... public sub log(byval num as integer,byval pass as string) Dim cnn As New SqlConnection("server=(local);database=db1;Trusted_Connection=yes") Dim cm As New SqlCommand("select * from student where id=@num", cnn) Dim dr As SqlDataReader cnn.Open() dr = cm.ExecuteReader dr.Read() If dr("id") = num Then If dr("pass") = pass Then MsgBox("login") Else MsgBox("invalid password") End If Else MsgBox("Id is not recognized") End If dr.Close() end sub ...................... plz help me , i am student and this is course project Thankx sara Posted at: http://www.groupsrv.com Posted Via Usenet.com Premium Usenet Newsgroup Services ---------------------------------------------------------- ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY ** ---------------------------------------------------------- http://www.usenet.com Hi sara,
Change Dim cm As New SqlCommand("select * from student where id=@num", cnn) to Dim cm As New SqlCommand("select * from student where id=" & num.ToString, cnn) HTH Elton Wang elton_w***@hotmail.com >-----Original Message----- if it is>Hello all, >plz , i have the following code , which take student id and >passowrd,then check the id if it is found ,check password >tru, if the password and id are true,the student can log the id is notin the >system, if the password if false ,he can try 3 times,if >recognized,the terminal is locked for 5 minutes. (local);database=db1;Trusted_Connection=yes")>when i compiled the code, the error message appered on the >dr=cm.executereader >i didn't know what is the problem with sql command. >code >............... >public sub log(byval num as integer,byval pass as string) >Dim cnn As New >SqlConnection("server= >Dim cm As New SqlCommand("select * from student where id=@num", cnn)Show quote >Dim dr As SqlDataReader >cnn.Open() > dr = cm.ExecuteReader > dr.Read() > If dr("id") = num Then > If dr("pass") = pass Then > MsgBox("login") > Else > MsgBox("invalid password") > End If > Else > MsgBox("Id is not recognized") > End If > dr.Close() >end sub >...................... >plz help me , i am student and this is course project >Thankx >sara >Posted at: http://www.groupsrv.com > > Posted Via Usenet.com Premium Usenet Newsgroup Services >---------------------------------------------------------- > ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY ** >---------------------------------------------------------- > http://www.usenet.com >. > Please don't do that!
Dim cm As New SqlCommand("select * from student where id=@num") cm.Parameters.Add("@num", num) Search Google for SQL injection attack. Also look into using the Data Access Application Block (DAAB) from Microsoft. Show quote "Elton Wang" <anonym***@discussions.microsoft.com> wrote in message news:0e4001c5324a$f57ee530$a501280a@phx.gbl... > Hi sara, > > Change > Dim cm As New SqlCommand("select * from student where > id=@num", cnn) > > to > > Dim cm As New SqlCommand("select * from student where id=" > & num.ToString, cnn) > > HTH > > Elton Wang > elton_w***@hotmail.com > >>-----Original Message----- >>Hello all, >>plz , i have the following code , which take student id > and >>passowrd,then check the id if it is found ,check password > if it is >>tru, if the password and id are true,the student can log > in the >>system, if the password if false ,he can try 3 times,if > the id is not >>recognized,the terminal is locked for 5 minutes. >>when i compiled the code, the error message appered on > the >>dr=cm.executereader >>i didn't know what is the problem with sql command. >>code >>............... >>public sub log(byval num as integer,byval pass as string) >>Dim cnn As New >>SqlConnection("server= > (local);database=db1;Trusted_Connection=yes") >>Dim cm As New SqlCommand("select * from student where > id=@num", cnn) >>Dim dr As SqlDataReader >>cnn.Open() >> dr = cm.ExecuteReader >> dr.Read() >> If dr("id") = num Then >> If dr("pass") = pass Then >> MsgBox("login") >> Else >> MsgBox("invalid password") >> End If >> Else >> MsgBox("Id is not recognized") >> End If >> dr.Close() >>end sub >>...................... >>plz help me , i am student and this is course project >>Thankx >>sara >>Posted at: http://www.groupsrv.com >> >> Posted Via Usenet.com Premium Usenet Newsgroup Services >>---------------------------------------------------------- >> ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY ** >>---------------------------------------------------------- > >> http://www.usenet.com >>. >> Hi Jim,
It's a good point. If field id is type of char or varchar (or something similar), it's better to use parameter. For type int, there is no large difference. HTH Elton Wang Show quote >-----Original Message----- -->Please don't do that! > >Dim cm As New SqlCommand("select * from student where id=@num") >cm.Parameters.Add("@num", num) > >Search Google for SQL injection attack. > >Also look into using the Data Access Application Block (DAAB) from >Microsoft. > > >"Elton Wang" <anonym***@discussions.microsoft.com> wrote in message >news:0e4001c5324a$f57ee530$a501280a@phx.gbl... >> Hi sara, >> >> Change >> Dim cm As New SqlCommand("select * from student where >> id=@num", cnn) >> >> to >> >> Dim cm As New SqlCommand("select * from student where id=" >> & num.ToString, cnn) >> >> HTH >> >> Elton Wang >> elton_w***@hotmail.com >> >>>-----Original Message----- >>>Hello all, >>>plz , i have the following code , which take student id >> and >>>passowrd,then check the id if it is found ,check password >> if it is >>>tru, if the password and id are true,the student can log >> in the >>>system, if the password if false ,he can try 3 times,if >> the id is not >>>recognized,the terminal is locked for 5 minutes. >>>when i compiled the code, the error message appered on >> the >>>dr=cm.executereader >>>i didn't know what is the problem with sql command. >>>code >>>............... >>>public sub log(byval num as integer,byval pass as string) >>>Dim cnn As New >>>SqlConnection("server= >> (local);database=db1;Trusted_Connection=yes") >>>Dim cm As New SqlCommand("select * from student where >> id=@num", cnn) >>>Dim dr As SqlDataReader >>>cnn.Open() >>> dr = cm.ExecuteReader >>> dr.Read() >>> If dr("id") = num Then >>> If dr("pass") = pass Then >>> MsgBox("login") >>> Else >>> MsgBox("invalid password") >>> End If >>> Else >>> MsgBox("Id is not recognized") >>> End If >>> dr.Close() >>>end sub >>>...................... >>>plz help me , i am student and this is course project >>>Thankx >>>sara >>>Posted at: http://www.groupsrv.com >>> >>> Posted Via Usenet.com Premium Usenet Newsgroup Services >>>-------------------------------------------------------- >>> ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY ** >>>-------------------------------------------------------- -- >> >>> http://www.usenet.com >>>. >>> > > >. > Consistently doing things the correct way is the key to success.
The OP was using a parameteriezed query, but just missed adding the parameter. In the case however, as you pointed out, the only thing saving this from SQL injection attack was the byval num as integer function argument. That may not have been obvious to the OP for the next function where they were passing in the username as a string instead of the ID. Show quote "Elton Wang" <anonym***@discussions.microsoft.com> wrote in message news:192901c53259$cbbb8730$a401280a@phx.gbl... > Hi Jim, > > It's a good point. If field id is type of char or varchar > (or something similar), it's better to use parameter. For > type int, there is no large difference. > > HTH > > Elton Wang > >>-----Original Message----- >>Please don't do that! >> >>Dim cm As New SqlCommand("select * from student where > id=@num") >>cm.Parameters.Add("@num", num) >> >>Search Google for SQL injection attack. >> >>Also look into using the Data Access Application Block > (DAAB) from >>Microsoft. >> >> >>"Elton Wang" <anonym***@discussions.microsoft.com> wrote > in message >>news:0e4001c5324a$f57ee530$a501280a@phx.gbl... >>> Hi sara, >>> >>> Change >>> Dim cm As New SqlCommand("select * from student where >>> id=@num", cnn) >>> >>> to >>> >>> Dim cm As New SqlCommand("select * from student where > id=" >>> & num.ToString, cnn) >>> >>> HTH >>> >>> Elton Wang >>> elton_w***@hotmail.com >>> >>>>-----Original Message----- >>>>Hello all, >>>>plz , i have the following code , which take student id >>> and >>>>passowrd,then check the id if it is found ,check > password >>> if it is >>>>tru, if the password and id are true,the student can log >>> in the >>>>system, if the password if false ,he can try 3 times,if >>> the id is not >>>>recognized,the terminal is locked for 5 minutes. >>>>when i compiled the code, the error message appered on >>> the >>>>dr=cm.executereader >>>>i didn't know what is the problem with sql command. >>>>code >>>>............... >>>>public sub log(byval num as integer,byval pass as > string) >>>>Dim cnn As New >>>>SqlConnection("server= >>> (local);database=db1;Trusted_Connection=yes") >>>>Dim cm As New SqlCommand("select * from student where >>> id=@num", cnn) >>>>Dim dr As SqlDataReader >>>>cnn.Open() >>>> dr = cm.ExecuteReader >>>> dr.Read() >>>> If dr("id") = num Then >>>> If dr("pass") = pass Then >>>> MsgBox("login") >>>> Else >>>> MsgBox("invalid password") >>>> End If >>>> Else >>>> MsgBox("Id is not recognized") >>>> End If >>>> dr.Close() >>>>end sub >>>>...................... >>>>plz help me , i am student and this is course project >>>>Thankx >>>>sara >>>>Posted at: http://www.groupsrv.com >>>> >>>> Posted Via Usenet.com Premium Usenet Newsgroup Services >>>>-------------------------------------------------------- > -- >>>> ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY ** >>>>-------------------------------------------------------- > -- >>> >>>> http://www.usenet.com >>>>. >>>> >> >> >>. >> Use parameterized query instead of thinking that its an integer I can pass
it like Dim cm As New SqlCommand("select * from student where id=" & num.ToString, cnn) Better to do it first time and always Thanks Anubhav Show quote "Jim Hughes" <NOSPAMJ3033@Hotmail.com> wrote in message news:uXGSFLmMFHA.3512@TK2MSFTNGP15.phx.gbl... > Consistently doing things the correct way is the key to success. > > The OP was using a parameteriezed query, but just missed adding the > parameter. > > In the case however, as you pointed out, the only thing saving this from > SQL injection attack was the byval num as integer function argument. That > may not have been obvious to the OP for the next function where they were > passing in the username as a string instead of the ID. > > "Elton Wang" <anonym***@discussions.microsoft.com> wrote in message > news:192901c53259$cbbb8730$a401280a@phx.gbl... >> Hi Jim, >> >> It's a good point. If field id is type of char or varchar >> (or something similar), it's better to use parameter. For >> type int, there is no large difference. >> >> HTH >> >> Elton Wang >> >>>-----Original Message----- >>>Please don't do that! >>> >>>Dim cm As New SqlCommand("select * from student where >> id=@num") >>>cm.Parameters.Add("@num", num) >>> >>>Search Google for SQL injection attack. >>> >>>Also look into using the Data Access Application Block >> (DAAB) from >>>Microsoft. >>> >>> >>>"Elton Wang" <anonym***@discussions.microsoft.com> wrote >> in message >>>news:0e4001c5324a$f57ee530$a501280a@phx.gbl... >>>> Hi sara, >>>> >>>> Change >>>> Dim cm As New SqlCommand("select * from student where >>>> id=@num", cnn) >>>> >>>> to >>>> >>>> Dim cm As New SqlCommand("select * from student where >> id=" >>>> & num.ToString, cnn) >>>> >>>> HTH >>>> >>>> Elton Wang >>>> elton_w***@hotmail.com >>>> >>>>>-----Original Message----- >>>>>Hello all, >>>>>plz , i have the following code , which take student id >>>> and >>>>>passowrd,then check the id if it is found ,check >> password >>>> if it is >>>>>tru, if the password and id are true,the student can log >>>> in the >>>>>system, if the password if false ,he can try 3 times,if >>>> the id is not >>>>>recognized,the terminal is locked for 5 minutes. >>>>>when i compiled the code, the error message appered on >>>> the >>>>>dr=cm.executereader >>>>>i didn't know what is the problem with sql command. >>>>>code >>>>>............... >>>>>public sub log(byval num as integer,byval pass as >> string) >>>>>Dim cnn As New >>>>>SqlConnection("server= >>>> (local);database=db1;Trusted_Connection=yes") >>>>>Dim cm As New SqlCommand("select * from student where >>>> id=@num", cnn) >>>>>Dim dr As SqlDataReader >>>>>cnn.Open() >>>>> dr = cm.ExecuteReader >>>>> dr.Read() >>>>> If dr("id") = num Then >>>>> If dr("pass") = pass Then >>>>> MsgBox("login") >>>>> Else >>>>> MsgBox("invalid password") >>>>> End If >>>>> Else >>>>> MsgBox("Id is not recognized") >>>>> End If >>>>> dr.Close() >>>>>end sub >>>>>...................... >>>>>plz help me , i am student and this is course project >>>>>Thankx >>>>>sara >>>>>Posted at: http://www.groupsrv.com >>>>> >>>>> Posted Via Usenet.com Premium Usenet Newsgroup Services >>>>>-------------------------------------------------------- >> -- >>>>> ** SPEED ** RETENTION ** COMPLETION ** ANONYMITY ** >>>>>-------------------------------------------------------- >> -- >>>> >>>>> http://www.usenet.com >>>>>. >>>>> >>> >>> >>>. >>> > >  |
|||||||||||||||||||||||
Other interesting topics