Thursday, January 31, 2013

Clear Items of a DropDownList using jQuery

<asp:DropDownList ID="ddlPeople" runat="server">
</asp:DropDownList>
 
$("select[id$=ddlPeople] > option").remove();
 
 
“> option” matches all child elements. Because each item in the drop down list is rendered as an <option> tag, you need to clear the child <option> tags in order to clear the items in a drop down list.

ref
 

Thursday, January 17, 2013

Using parameterized SQL queries to help prevent SQL injection attack.

Using parameterized SQL queries to help prevent SQL injection attack.

If you are not new to web development in particular, it is quite likely that you already know what a SQL injection is and how it poses threat to your system security. This is more probable when you are adding strings to SQL commands.
 
 
 
string sql = "SELECT * FROM tblUser WHERE Name = '" + txtName.Text +
   "' AND Password = '" + txtpassword.Text + "'";
 
Well, the above statement looks fine but what a malicious user would now do is add condition such as
 
' OR 3=3 --
 
So that the actual SQL statement becomes
 
 
SELECT * FROM tblUser  WHERE Name = '' OR 3=3 --' AND Password = ''
 
 
The double dashes comment out rest of the statement and the condition 3=3 is added. Since 3 is always equal to 3 the query selects every row in the table thus giving access to information which wouldn't be available otherwise.
 
However, parameterizing the SQL statement would not only remove this vulnerability but also enhance performance multifold. Parameterized SQL statements are in some ways similar to stored procedures, so if you have worked with the latter, the concept of parameterized query would be easier to understand. Further, since the parts of the SQL statement are added as parameters, the same code can be reused.
 
Now let us create a parameterized SQL statement in ASP.NET. As usual, we would be required to first create our connection and command objects. We would then add parameters to it before it is executed.
 
 
SqlConnection objCon = new SqlConnection(ConnectionString);
objCon.Open();
SqlCommand objCommand = new SqlCommand(
   "SELECT * FROM User WHERE Name = @Name AND Password = @Password",
   objConnection);
objCommand.Parameters.Add("@Name",  txtName.Text);
objCommand.Parameters.Add("@Password", txtpassword.Text);
SqlDataReader objReader = objCommand.ExecuteReader();
if (objReader.Read())
{
  ----------
 --------
---------
}
 

Sunday, January 13, 2013

diffrence between Get and Post HTTP Methods


GET Method:

1.All the name value pairs are submitted as a query string in URL.
It's not secured as it is visible in plain text format in the Location bar of the web browser.

2.Length of the string is restricted.


3.If get method is used and if the page is refreshed it would not prompt before the request is submitted again.

4.One can store the name value pairs as bookmark and directly be used while sharing with others - example search results.


POST Method:

1. All the name value pairs are submitted in the Message Body of the request.

2. Length of the string (amount of data submitted) is not restricted.

3. Post Method is secured because Name-Value pairs cannot be seen in location bar of the web browser.

4. If post method is used and if the page is refreshed it would prompt before the request is resubmitted.

5. If the service associated with the processing of a form has side effects (for example, modification of a database or subscription to a service), the method should be POST.

6. Data is submitted in the form as specified in enctype attribute of form tag and thus files can be used in FileUpload input box.