Database Connection String

MySQL Connection String

MySQL ConnectionString using MySQL ODBC Driver

<add name="entaccess" connectionString="Driver={MySQL ODBC 3.51 Driver};SERVER=server_name; DATABASE=DataBase_Name;Port=3306;USER=uid;PASSWORD=pass;Connect Timeout=0; OPTION=3;"/>

MySQL ConnectionString using MySQL.Data.dll

<add name="MySQLConnectionString" connectionString="server=server_name; user id=root; password=pwd; database=databasename; pooling=false;default command timeout=3600;" providerName="MySql.Data.MySqlClient"/>

SQLServer Connection String

SQLServer ConnectionString using sqlserver authentication mode

<add name="SQLConnectionString" connectionString="server= Data Source= server_name;Initial Catalog= DataBase_Name;User Id=myUsername;Password=myPassword; " providerName="System.Data.SqlClient"/>

<add name="SQLConnectionString" connectionString="server= Data Source= server_name; Database = DataBase_Name;User Id=myUsername;Password=myPassword; " providerName="System.Data.SqlClient"/>

SQLServer ConnectionString using Windows authentication mode

<add name="SQLConnectionString" connectionString="server= Data Source= server_name;Initial Catalog= DataBase_Name; Integrated Security=True;" providerName="System.Data.SqlClient"/>

<add name="SQLConnectionString" connectionString="server= Data Source= server_name; Database = DataBase_Name; Integrated Security=SSPI;" providerName="System.Data.SqlClient"/>

Attach a database file, located in the data directory

<add name="SQLConnectionString" connectionString=" Server=.\SQLExpress;AttachDbFilename=|DataDirectory|dbfile.mdf; Database=dbname;Trusted_Connection=Yes providerName="System.Data.SqlClient"/>

Oracle Connection String

<add name="ConnectionString" connectionString="Data Source=servername;Persist Security Info=True;User ID= uid;Password= passowrd;Unicode=True;"/>

    <add name="ConnectionString" connectionString="Data Source=servername;Persist Security Info=True;User ID= id;Password= pwd;"/>

Read more ...

Preventing SQL injection attacks using C#.NET

What is a SQL Injection Attack?

A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server.

There are two main types of attacks. First-order attacks are when the attacker receives the desired result immediately, either by direct response from the application they are interacting with or some other response mechanism, such as email. Second-order attacks are when the attacker injects some data that will reside in the database, but the payload will not be immediately activated.

Avoiding SQL Injection

protected void Button1_Click(object sender, EventArgs e)

{

  string connect = "MyConnString";

string username= Regex.Replace(txtuname.Text.ToString(), "[^-a-zA-Z0-9_./:&()#!@$%^&*?]+", "", RegexOptions.Compiled);

string Pwd = Regex.Replace(txtpwd.Text.ToString(), "[^-a-zA-Z0-9_./:&()#!@$%^&*?]+", "", RegexOptions.Compiled);

  string query = "Select Count(*) From Users Where Username = 

  '" +       username + "' And Password = '" + Pwd + "'";

  int result = 0;

  using (var conn = new SqlConnection(connect))

  {

    using (var cmd = new SqlCommand(query, conn))

    {

      conn.Open();

      result = (int)cmd.ExecuteScalar();

    }

  }

  if (result > 0)

  {

    Response.Redirect("home.aspx");

  }

  else

  {

    Literal1.Text = "Invalid credentials";

}

Using this

string username= Regex.Replace(txtuname.Text.ToString(), "[^-a-zA-Z0-9_./:&()#!@$%^&*?]+", "", RegexOptions.Compiled);

string Pwd = Regex.Replace(txtpwd.Text.ToString(), "[^-a-zA-Z0-9_./:&()#!@$%^&*?]+", "", RegexOptions.Compiled);

you will avoid all type of sql injection

Read more ...

A potentially dangerous Request.Form value was detected from the client

The issue was, when user enters unenclosed HTML content into a comment text box s/he got something like the following error message:

"A potentially dangerous Request.Form value was detected from the client".

This was because .NET detected something in the entered text which looked like an HTML statement. Then I got a link Request Validation that is a feature put in place to protect your application cross site scripting attack and followed accordingly.

To disable request validation, I added the following to the existing "page" directive in that .aspx file.

validateRequest="false" 

Like this

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Login.aspx.cs" Inherits="Login" validateRequest="false"  %>

But still I got the same error.

Later I found, for .NET 4, we need to add requestValidationMode="2.0" to the httpRuntime configuration section of the web.config file like the following:

<httpRuntime requestValidationMode="2.0"/>

But if there is no httpRuntime section in the web.config file, then this goes inside the section.

If anyone wants to turn off request validation for globally user, the following line in the web.config file within section:
 

<pages validateRequest="false" />

Read more ...