Security

To quote 'Black Adder', security is not a dirty word. But it IS important. For any project storing sensitive data, it's probably the most important thing of all. I wonder how many non programmers know that even if a hacker can't get into your system, a bad security system can allow them to erase all your data ? Check this out:

Someone asked:

How does one go about creating a login window using C#.

and got this reply:

For that u have to use database connection
I think this code will help u......


SqlConnection MySchool;
MySchool= new SqlConnection("server=(local);database=MySchool;integrated security=sspi");
MySchool.Open();
String selectCmd = "select * from signin where vusername='"+Txtuname.Text+"'";
SqlCommand MyCmd = new SqlCommand(selectCmd,MySchool);
SqlDataReader dr;
dr=MyCmd.ExecuteReader();
while(dr.Read())
{
if((String.Equals(dr.GetString(0).Trim(),Txtuname.Text.Trim()))==true)
{
if((String.Equals(dr.GetString(1).Trim(),Txtpassword.Text.Trim()))==true)
{
//test.Text="Inside if";
Response.Redirect("New_Page.aspx");
}
else
{
Lblmsg.Text="Error:Password is wrong.";
}
}
else
{
Lblmsg.Text="Error:Username is wrong";
}
}

:)


This is not a question, this is someone's answer, it appears to be from a school database system. He is pulling all of the passwords down from the database, where they are apparently not encrypted, and he's going through them. What's worse ( apart from the fact that this means if a student got in to the database, they could read ALL the usernames and passwords ) is that he's just taking free text and using it to build the database query. That means someone who guesses this might be going on, can also guess the return format ( two columns, called username and password, seems good ), and inject some script to create themselves a login, or, they could add a command to simply erase the entire database. Of course, you can build your database so that the user the program runs under doesn't have permission to erase things, but, do you think the guy who wrote this code knows that ?

Just to prove that this happens in VB too.

Hi
I am working on login form using VB 2005 and sql 2000 i made 2 text boxes and 2 buttons
on click on ok button it will cal the follwing function

EmployeeCode = txtEmployeeCode.Text
EmployeePassword = txtEmployeePassword.Text
ConnectionString = "Data Source=HAKMEH;Initial Catalog=HMS;Integrated Security=True"
Login(ConnectionString, EmployeeCode, EmployeePassword)

THE FUNCTION IS :

Public Sub Login(ByVal ConnectionString As String, ByVal EmployeeCode As String, ByVal EmployeePassword As String)
Dim ds As New DataSet
ds.Clear()
Dim MyConnection As New SqlConnection(ConnectionString)
Dim SelectQuery As String = "Select EmployeeCode,EmployeePassword from tblEmployees where EmployeeCode = ('" & txtEmployeeCode.Text & "') and EmployeePassword = ('" &_ txtEmployeePassword.Text & "')"
Dim adapter As New SqlClient.SqlDataAdapter
Dim MyCommand As New SqlCommand(SelectQuery, MyConnection)
MyConnection.Open()
Dim Command As String = MyCommand.ExecuteNonQuery
**** adapter.Fill(ds, "tblEmployees") ****
Dim dt As DataTable = ds.Tables(0)
If dt.Rows.Count <> 0 Then
frmAdministrator.Show()
Else
MsgBox("You are not Authorized to access")
End If
MyConnection.Close()
End Sub

when it comes to the line with stars it gave me the follwoing message

The SelectCommand property has not been initialized before calling 'Fill'.

so where is the error

Now, I'm sure that sometimes these questions are asked by people attempting this stuff as part of a course, but the examples I give, I checked their history and profile and they certainly appear to be employed as software developers.

This one takes the cake:

Hi!
I have a little problem. My problem is:

I have two user.
If first user Enter Own LogIn & password. It goes to another page i.e. "first.aspx".
If second user Enter Own LogIn & password. It goes to another page i.e. "second page.aspx.

My login page is common for both user.
I have use this code but it goes only one page. Actually I don't know what can I do. Please solve my problem.

protected void Button1_Click(object sender, EventArgs e)
{
string name = TextBox1.Text;
string password = TextBox2.Text;
string str = " select * from login where user_name ='"+name+"' and password ='"+password+"'";
SqlDataAdapter da= new SqlDataAdapter(str,con);
da.Fill(ds,"a");

if ((ds.Tables[0].Rows.Count) == 0)
{
Label1.Text = "User Does not Exist";
}

else
{
Response.Redirect("first.aspx");
}




Here's another example, from someone who's profile says:

m workin as a web developer in a software company.
i work on asp.net using csharp.....


And his question:

hiii i m using access db and i have created my own login form.
I want that without login in user cannot go to my admin page.
hw can i do this...
plz guide...


So why does he have a job, if he doesn't even know where to start, and why is he being trusted with writing the security system for this website ?

I could go on forever with examples, this happens all the time. Suffice it to say, the safest way forward for these people in terms of security appears to be the approach this guy is taking:


Hi 2 all

I need a source code of Hospital Management System in VB.NET and with DataBase Desing.

Thanx in advance



Regards,
Arfan Qadir