Another Believer! (EXEC sp_name param, 'param') -Not!

By
Vis-a-vis my last number on why not to use "Exec spname paramvalue" etc. -- my friend figured out that all the places he was doing new SqlDataAdapter("exec mysp 1,5 'hello'"); are open to SQL injection attack (he thought they were immune to it). Why? Simple- if an attacker can get access to the SQL string they can just add ";DELETE TABLENAME". DOH!

So now he is happily rewriting everything to use SqlHelper and turning all those inline text strings into object[] parms={1,5,'hello'}; object arrays.

You see that? You are only dumb when you think you know everything....
Peter has been active on the C# and other MS newsgroups, has had samples at gotdotnet.com (now codegallery.com) that have been downloaded over 56,000 times, and has written numerous articles for eggheadcafe.com, for which he is a co-founder, and MSDNAA sites. He has also been a technical reviewer on books from Prentice Hall, Manning and other publishers. Peter was a Microsoft MVP for 10 years. Peter was born and raised in New York City, and after a stint as a jazz musician playing contrabass with the Robert Hunt Trio, migrated to sunny Florida, where he was hired as a rookie Financial Consultant at Merrill Lynch in Orlando, specializing in Corporate Services. It was at Merrill that Peter realized computers and technology were his forte. He spent his last few years at Merrill developing real – time computerized trading and and stock charting program using advanced technical analysis indicators, some of which are his own inventions. In 1997, he moved on to architect and serve as lead developer on a number of innovative web-based and middleware solutions for the healthcare and financial services industry.

Comments

Post a Comment

Popular posts from this blog

IE7 - Vista: "Internet Explorer has stopped Working"

By
Image
This one was a bitch. All of a sudden for no reason at all, out of the blue, I get this dialog "internet Explorer has stopped working". I didn't install any new software, crap- I didn't do anything! So here I am using FIREFART to go on the internet and find out what to do! Damn! Good thing I've got the sucker on the same machine (I'm not "anti-Firefox", i just don't use it that much except to check my page renderings). The Fix The fix (at least for me): 1) Go into Control Panel, and choose "Internet Options". 2) Under the "Advanced" tab, press the "RESET" button at the lower right: Don't ask me why this happens, or why the fix works. That's a BUG, D00D - I don't care how you slice it!
Read more

FIREFOX / IE Word-Wrap, Word-Break, TABLES FIX

By
One of the most annoying things a developer (who would normally delight in writing code, not futzing with markup) can have is getting rendering issues between different browsers. The two biggest players are of course Internet Exploder and Firefart (as I lovingly like to refer to each). In most cases that's going to take care of 98 percent of your total site traffic. IE has had a proprietary "word-break" style attribute for a long time, and this made it into the CSS 3.0 spec. But that doesn't necessarily help you with Firefox right now. Firefox literally - (and I consider this completely idiotic, since it's been in their bug database for FIVE YEARS) does not have a reliable CSS style element to force table cell content to break in the middle of a word in order to stop the content from expanding your table / div off the page or over other content on the page. Here's a partial fix, which will work for most tables and browsers. The style declaration (I call it m...
Read more

FIX: Requested Registry Access is not allowed (Visual Studio 2008)

By
Symptom: in Visual Studio 2008, you attempt to add a new WebContentForm and associate it with a MasterPage. You receive an error dialog "Requested Reqistry Access is not allowed". Don't ask me what caused this; I'm guessing that the registry keys involved had their access denied due to removal of a previous version of Visual Studio, leaving the new guy (Visual Studio 2008) in the lurch. Here's the fix: Download "subinacl" here . This is a command-line tool that enables administrators to obtain security information about files, registry keys, and services, and transfer this information from user to user, from local or global group to group, and from domain to domain. After installing subinacl.exe (it will be in the C:\Program Files\Windows Resource Kits\Tools folder.), drop to a command prompt and run the following batch file, which you have saved in the same folder with the filename "FIX.bat": subinacl /subkeyreg HKEY_CLASSES_ROOT\VisualStudi...
Read more

KB929729 Windows Update Failure - An Easy FIX

By
Image
OK, it's Microsoft Windows Update "Fun Time" again! KB929729 Security Update for .NET 1.1 shows up in Windows Update and guess what? It never goes away. It's like it's going to be there wanting to get reinstalled like FOREVER. The 1.1 service pack was an optional update that many users did not install, so the latest security update is doomed to fail. The security update did not search for the right version prior to installation so either you got a installation failure message or it "updated sucessfully" only to reappear as a needed update a few minutes later. If you are unfortunate enough to have .Net Framework version 2 or 3 without updating your service pack for version 1 your headaches just got worse, because the official "FIX" for this involves uninstalling ALL versions of .NET Framework and is quite painful. Fortunately for many the shorter "Fix" I detail here should work. NOTE: This is for Windows VISTA ONLY. 1) Instead of using...
Read more

OMG, Silverlight! Asynchronous is Evil! (or, Call me back when you got it)

By
Now we sit through Shakespeare in order to recognize the quotations. - Orson Welles I just have to shake my head at this absolutely moronic thread on the Silverlight Forums promoting a "petition" to bring back synchronous webrequests in Silverlight. Really, it has all the elements of the old VB6 flame wars… N.B. 8/18/2008: It looks like the moderators finally took the thread down; it was so full of hate posts and name-calling and ad-hominem attacks, its about time! They just don't understand: Have you ever had your browser freeze up when requesting a page somewhere which request (or even a subrequest in the page, such as for advertising or an image) doesn't come back right away? Your browser turns white, your whole damned desktop is frozen, and you may need to get rid of IEXPLORE.EXE from within Task Manager just to free up your system (in rare cases you may actually have to shut down and reboot). This is what happens when a developer who doesn't know how t...
Read more