How To Protect My Parameters

Oct 25, 2007

Hello.
I have a report with parameter called "parm1", that gets a value of "true" or "false" depanding on another parameter.

When the report is runnig the parm1 value is "false".
How can I protect this parameter from a change by the user?
I mean - the user can run the report and then add to the url "&param1 = true".

Can I do anything against that?
I tried marking it as "internal" and I thought that now it can get his value only from inside the report but it didn't worked.

Any ideas?

Thanks.

View 4 Replies


ADVERTISEMENT

How Can I Protect My Parameters

Oct 25, 2007

Hello.
I have a report with parameter called "parm1", that gets a value of "true" or "false" depanding on another parameter.

When the report is runnig the parm1 value is "false".
How can I protect this parameter from a change by the user?
I mean - the user can run the report and then add to the url "¶m1 = true".

Can I do anything against that?
I tried marking it as "internal" and I thought that now it can get his value only from inside the report but it didn't worked.

Any ideas?

Thanks.

View 2 Replies View Related

Sql Injection - Are Parameters Enough To Protect You.

Feb 8, 2008

 Hi all,I have been learning .net and creating a public facing site. I am therefore worried about SQL injection.My question is...Is enclosing customer input inside .net SQLParameters enough to protect you from SQL injection?If not why not?I have seen people saying that SQLParameters alone is not enough but not an explanation why?Can anyone help?If I use code to remove words like drop or characters like '%' I'm limiting what my users can enter, but if I have to I will. taC 

View 1 Replies View Related

Protect SQL 7 Data From IS

Aug 7, 1999

My client maintains its HR data in an application that uses Oracle as its backend. This highly-sensitive data is basically off limits to all but a select few. Presently, I use a program in Access 97 that allows one high level HR person to pass their login to linked Oracle tables and copy a large chunk of this data to Access tables. From there I can morph it as needed for the Personnel, Safety, EEOC and other areas. The client sees this PW-protected, encrypted Access DB as safe because, being "only an Access DB", it falls below the radar of IS. This basically means IS can't get to the data. However, accessibility and scalability are non-existent. I'd like to reduce the Access DB to a shell that simply links to Oracle and SQL Server 7 tables and performs a straight pipe of the raw data between DBs. However, now IS will be very interested (since it's SQL 7) and have Admininstrator rights, therefore causing the HR people to squash the deal. How can I lock SQL 7 up so tight that IS can't get to the data and yet be able to maintain the DB? If this is not feasible, are there any other options that might provide a solution?

View 1 Replies View Related

Protect Data From DBA

Jan 22, 2008

Hi all, We have sql server 2000 on Windows server 2003.Is there anyway in sql server 2000 to protect some crucial data, even from the DBA. Thanks in advance...

View 14 Replies View Related

Protect From SQL Injection?

Jun 25, 2007

Hi,



Just read about SQL injection, and tested it out with sample database, and it does hack my database, the article show to prevent SQL injection by using application code to remove those keywords and change single quote to double quote, is there any method to prevent SQL injection directly using the database system itself, maybe stored procedure or anything?



Thanks.

View 6 Replies View Related

HOW CAN I PROTECT SQL DB IN AN EXISTING SERVER?

Mar 14, 2008

Dear Colleagues,

I have designed a Microsoft SQL Server 2005 database application using Visual Basic 2005. I want to control access to the database programmatically, without the End-User opening the database in SQL Server.

I want to protect the database structure such as my tables, code, etc. This restriction should include all the Administrators of the Computers on which my application will be deployed. Any modification of my database or code should be implemented only by me.

What is the best way to do this using (a) Windows Authentication Login? (b) SQL Server Login? How do I configure the User-Login?

NEW: In addition to above question, how best do I achieve this protection if installing the DB with other databases in an already existing server, is it possible to remove the Builtin Admin from the server role?? As in my case, there is no need for anyone else to open the DB in Management Studio at all as my VB application does all that is required.

Thanks and best regards,

Peter

View 6 Replies View Related

How To Protect DataBase Using Password?

Sep 6, 2007

I want only SQL Server Authentication not Windows Authentication Because If some one copy database and attach at some other place using Windows Authentication then they can see each and everything.

I want something like Access (I know its password can be broken very easily)


I want to protect Table & SP Schema, Data is not much important.

Its urgent

View 1 Replies View Related

About Database And Table Protect

May 13, 2007

hello,

We wrote an erp,and provide a platform to participator to extend my erp system,so I will give my participator database dictionary,but I only want to give partial database dictionary,I will hide some table and some field, I want they cann't open the database thouth sql server management studio or other tools,only can using our interface to access database,how can I do?

-- I use sql server 2005

View 5 Replies View Related

How To Protect Data Of One Table?

Dec 13, 2006

I have a DB on my SQL Server Express 2005. In this db I have one table and I DON'T want any user can modify data on this table but I want only show this data (only select statements allowed). If I install this db on one of my customers' machine, I can see that he can modify data into this table If he log in into the database with windows authentication and not with the "USERLOGIN" that I have created with sql server authentication. What can I to to remove dbo access in Windows authentication in my db and "transfer" the dbo in another user access (like MYUSER with Sql Server authentication)?

Thank You

Mirko

View 4 Replies View Related

Protect Intellectual Property

Jul 25, 2006



Dear All,

How is it possible to protect the Intellectual property for a integration / analysis project?

For instance if I build a complex solution €“ how do I avoid others to view and copy the solution.

Best Regards, T

View 1 Replies View Related

Tables Protect In Sqlserver 2000

Jul 31, 2003

I have some tables in the employee database, this database created from sql sever 2000. I build a employee management application by C# and sqlserver 2000.

My goal is after design complete the empployee database by sqlserver 2000, any users can not modify my tables and unkonw table's structure.
help me please

thanks and reagards

View 2 Replies View Related

How To Protect A Frequently Real Time DB

Jul 2, 2001

Hi Everybody:

We have a table which needs to be updated 2 million times per day. It hosts all real time transaction. There are 200K records in this table. Would you please to share your experience with me about how to protect/save such table in SQL 2000 from any possible damage?

We plan to use point-in-time backup (every 5 minutes). It still takes at half an hour to recover the whole database. Any new technology from Microsoft or SQL 2000 you can recommend?

Thank you very much.

Joan

View 3 Replies View Related

How To Protect Errorlogs To Tables From Rollbacks

Apr 5, 2002

Hey!

This post contains the code for this thread: http://www.sqlteam.com/Forums/topic.asp?TOPIC_ID=14475

It deals with the problem how to prevent log actions in long running batch jobs from being rolled back. It was heavily inspired by Andy Pope´s approach to error handling (http://www.sqlteam.com/item.asp?ItemID=2290) and in fact you will see much of his code here.

The code:

This procedure dynamically opens a second connection in parallel to the existing connection of the calling procedure using SQL-DMO. So the second connection runs without the scope of transaction of the calling procedure. So no action you take here is rolled back in case the calling proc fails. So be careful! Keeping data integrity is your job here and you could do many weird things to your database.
The procedure dynamically adds a user function that if called just would return the object token of the new DMO connection. So any piece of code in the same batch could reuse the exisiting connection.

LogConstructor
CREATE PROCEDURE LogConstructor AS

if exists (select * from sysobjects where id = object_id (N'dbo.MFF_GetLogObject')
and OBJECTPROPERTY(id, N'IsScalarFunction') = 1)
drop function dbo.MFF_GetLogObject

DECLARE @Error INT
DECLARE @ErrorMsg VARCHAR(255)
DECLARE @oSQLServer INTEGER
DECLARE @Source VARCHAR(255)
DECLARE @Return INTEGER
declare @dynsql nvarchar(3000)

-- Create the SQLServer object
EXEC @Error = sp_OACreate 'SQLDMO.SQLServer', @oSQLServer OUT
IF @Error <> 0
GOTO OA_Error

-- Set the login process to use NT Authentication
EXEC @Error = sp_OASetProperty @oSQLServer, 'LoginSecure', -1
IF @Error <> 0
GOTO OA_Error

-- Connect to server using NT Authentication
EXEC @Error = sp_OAMethod @oSQLServer, 'Connect', NULL, @@SERVERNAME
IF @Error <> 0
GOTO OA_Error

-- Verify the connection
EXEC @Error = sp_OAMethod @oSQLServer, 'VerifyConnection', @Return OUTPUT
IF @Error <> 0
GOTO OA_Error
IF @Return = 0
GOTO OA_Error

-- Create Function with server object
select @dynsql = N'CREATE Function MFF_GetLogObject () RETURNS INT AS BEGIN RETURN ' + cast(@oSQLServer as varchar) + N' END'
EXEC sp_executesql @dynsql

return


OA_Error:
-- Get the error text
EXEC sp_OAGetErrorInfo @oSQLServer, @Source OUT, @ErrorMsg OUT
SELECT
@ErrorMsg = CONVERT(CHAR(16), @Error) + ': ' + @ErrorMsg + ' (Source: ' + @Source + ')'
print @ErrorMsg
return
GO
The next procedure just drops the DMO connection and also drops the user function as the token is invalid by now. This proc should be called within the same batch as the constructor to clean things up properly.

LogDestructor

CREATE PROCEDURE MFP_LogDestructor AS

declare @lo int
select @lo = dbo.MFF_GetLogObject()
exec sp_OADestroy @lo

if exists (select * from sysobjects where id = object_id(N'dbo.MFF_GetLogObject')
and OBJECTPROPERTY(id, N'IsScalarFunction') = 1)
drop function dbo.MFF_GetLogObject
GO

View 2 Replies View Related

How To PROTECT SQL Server Database Files ?

Jul 23, 2005

Hello,How to protect structures(Tables,SP,Views and Functions) of a SQLServer Database?(Password protect a database file)I have a SQL database that will distribute with my application, I wantto protects it's structure from my appliction users. Only myapplication can access the database.Thanks

View 3 Replies View Related

How Do I Protect Access Database (MDB File)?

Apr 16, 2007

I have developed a small desktop application using c# and Ms Access 2002. Database is password protected and contains sensitive data. As many password retrieval tools are available, What should I do to protect Ms-Access (.MDB ) file? Is there any way through which I can hide database file

View 3 Replies View Related

Creation Of Credentials And Certificates To Protect A DB

Jun 22, 2006

Hi, i want to know if its posible to create credentials or certificates in order to protect a SQL 2005 data base.

Because if someone Buckups one of my DBs from my server, and try to restore it in orther server i dont want they to see my DB information because he dont have the correct credentials or certificates for it.

This is posible?. if is, How i do it ?

Best Regards.

View 5 Replies View Related

How To Protect Encrypted Data When DB Is Stolen

Jun 25, 2007

I got a problem concerning encryption. The thing is I have decided to use symmetric key protected by certificate to encrypt certain information. Certificates are protected by database masterkey and by service key.



But I also want to be sure that if someone steals my database with all its data he wont be able to decrypt it with his own SQL Server Management Studio where he has all the permissions.



Also after some time I will need to take my database and set it up on another PC.



Has anyone ideas how to solve this??



P.S. As far as I know if symmetric key is protected by certificate which is protected by DB master key and service master key then you cant decrypt data if database is moved to another workstation and opened with another Management Studio. Please can anyone explain how this works( if its true). And if this is true then how can i move my DB without loosing access to encrypted data???

View 9 Replies View Related

SQL Server 2005 Express How To Protect Mdf Files

May 31, 2006

Panos writes "I am working with SQL Server 2005 Express Edition. How can I protect mdf files from being transfered (attached) and be used to another SQL server in another machine?
Thanks
Panos"

View 1 Replies View Related

How To Protect From SQL Injection In ASP.NET And SQL 2005 For Custom Query Expression?

Oct 3, 2006

How to Protect From SQL Injection in ASP.NET and SQL 2005 for custom query expression?In my project, I allow user to custom query expression through UI, such asstring queryCondition=' sale>20 and sale <100'string queryCondition=' createDate>"10/10/2005"'string queryCondition='Fullname like "%Paul%" '...I construct SQL based the queryCondition string, such as string mysql='select * from mytable where '+queryConditionI know it's very dangerous because of SQL Injection, but it's very convenient for user to custom query expressionCould you tell me how to do? many thanks!

View 13 Replies View Related

SQL 2012 :: How To Avoid SSIS To UN-protect Excel Template

Nov 1, 2015

I am exporting the data from database to an excel template that will have 100+ columns and approx 4000 rows of data. Then the business user will make changes to some columns without modifying primary key columns and will send back to us where we will update the same to database.

In order to this am using an excel template by protecting the primary key columns with a password protection.

At template level am fine and whenever am trying to modify any primary key column it's not allowing and am totally good there. But when I use that excel template as a destination to load data from SSIS, all the protected columns are no longer protected and i could able to make changes.

View 1 Replies View Related

Problem Using DPM 2007 To Protect SQL 2005 On Server 2008

May 18, 2008

I have a problem protecting a SQL 2005 SP2 server on Windows Server 2008 (64bit), running DPM 2007 on Windows Server 2003 (32 bit).

The following SQLVDI event ID 1 is logged in the event viewer:

SQLVDI: Loc=SVDS:pen. Desc=BADMEM. ErrorCode=(-1). Process=2972. Thread=6504. Server. Instance=MSSQLSERVER. VD=Global{CC60D260-C5DD-406A-9E63-64A9503A9763}1_SQLVDIMemoryName_0.


The UUID changes each time the event is logged, but the first event is followed by:

SQLVDI: Loc=SVDS::Cleanup. Desc=Close(channel). ErrorCode=(6)The handle is invalid.

. Process=2972. Thread=6504. Server. Instance=MSSQLSERVER. VD=Global{CC60D260-C5DD-406A-9E63-64A9503A9763}1_SQLVDIMemoryName_0.

Then this is repeated twice:

SQLVDI: Loc=SVDS::Cleanup. Desc=Close(channel). ErrorCode=(6)The handle is invalid.

. Process=2972. Thread=6504. Server. Instance=MSSQLSERVER. VD=.


Event ID 3201 is then logged by MSSQLSERVER:

Cannot open backup device '{CC60D260-C5DD-406A-9E63-64A9503A9763}1'. Operating system error 0x80770006(error not found).


This is followed by Event ID 3041:

BACKUP failed to complete the command BACKUP DATABASE CommunityServer. Check the backup application log for detailed messages.


It looks to me like the virtual device creation fails in the first step, the next three event messages are the cleanup of the failed virtual device, and the final two messages are the failed SQL backup as the expected device doesn't exist.

My question is why? The message seems to indicate bad memory, but I'm sure the physical memory is good - The 16GB in this server has been tested extensively, and I have no other issues. Perhaps its some sort of memory allocation error?

I'm going to apply cumulative update 7 to this SQL server to see if it makes a change. What's the latestest version of sqlvdi.dll available?


TIA,
Karl.

View 1 Replies View Related

Protect Data And Schema SQL SERVER 2005 EXPRESS

Aug 17, 2006



We have a commercial VB.NET winforms client/server application that utilizes SQL Server 2005 express edition. The schema and data that the application utilizes is proprietary and could be very damaging if it got into a competitors hands.

Is there any way to protect the data and schema of a sql server 2005 express edition database?

Will this functionality ever be added?



Thanks

View 1 Replies View Related

ADO.NET 2-VB 2005 Express Form1:Printing Output Of Returned Data/Parameters From The Parameters Collection Of A Stored Procedure

Mar 12, 2008

Hi all,
From the "How to Call a Parameterized Stored Procedure by Using ADO.NET and Visual Basic.NET" in http://support.microsft.com/kb/308049, I copied the following code to a project "pubsTestProc1.vb" of my VB 2005 Express Windows Application:


Imports System.Data

Imports System.Data.SqlClient

Imports System.Data.SqlDbType

Public Class Form1

Private Sub Form1_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load

Dim PubsConn As SqlConnection = New SqlConnection("Data Source=.SQLEXPRESS;integrated security=sspi;" & "initial Catalog=pubs;")

Dim testCMD As SqlCommand = New SqlCommand("TestProcedure", PubsConn)

testCMD.CommandType = CommandType.StoredProcedure

Dim RetValue As SqlParameter = testCMD.Parameters.Add("RetValue", SqlDbType.Int)

RetValue.Direction = ParameterDirection.ReturnValue

Dim auIDIN As SqlParameter = testCMD.Parameters.Add("@au_idIN", SqlDbType.VarChar, 11)

auIDIN.Direction = ParameterDirection.Input

Dim NumTitles As SqlParameter = testCMD.Parameters.Add("@numtitlesout", SqlDbType.Int)

NumTitles.Direction = ParameterDirection.Output

auIDIN.Value = "213-46-8915"

PubsConn.Open()

Dim myReader As SqlDataReader = testCMD.ExecuteReader()

Console.WriteLine("Book Titles for this Author:")

Do While myReader.Read

Console.WriteLine("{0}", myReader.GetString(2))

Loop

myReader.Close()

Console.WriteLine("Return Value: " & (RetValue.Value))

Console.WriteLine("Number of Records: " & (NumTitles.Value))

End Sub

End Class

//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
The original article uses the code statements in pink for the Console Applcation of VB.NET. I do not know how to print out the output of ("Book Titles for this Author:"), ("{0}", myReader.GetString(2)), ("Return Value: " & (RetValue.Value)) and ("Number of Records: " & (NumTitles.Value)) in the Windows Application Form1 of my VB 2005 Express. Please help and advise.

Thanks in advance,
Scott Chang

View 29 Replies View Related

Run Report By Different Parameters Without Having To Enter Information For All Parameters At Same Time

Oct 29, 2013

I have a SSRS report with four parameters,and I want to be able to enter information for two of the parameters and run the report opposed to all four of them. However, when I select allow blanks and only select the parameters that I want to run the report by, the report come back blank..Essentially, I want to be able to the run report by different parameters without having to enter information for all parameters at the same time.

View 2 Replies View Related

Query Duration Using Parameters Vrs No Parameters

Apr 27, 2006

Hi,
I have an app in C# that executes a query using SQLCommand and parameters and is taking too much time to execute.

I open a SQLProfiler and this is what I have :

exec sp_executesql N' SELECT TranDateTime ... WHERE CustomerId = @CustomerId',
N'@CustomerId nvarchar(4000)', @CustomerId = N'11111

I ran the same query directly from Query Analyzer and take the same amount of time to execute (about 8 seconds)

I decided to take the parameters out and concatenate the value and it takes less than 2 second to execute.

Here it comes the first question...
Why does using parameters takes way too much time more than not using parameters?

Then, I decided to move the query to a Stored Procedure and it executes in a snap too.
The only problem I have using a SP is that the query can receive more than 1 parameter and up to 5 parameters, which is easy to build in the application but not in the SP

I usually do it something like
(@CustomerId is null or CustomerId = @CustomerId) but it generate a table scan and with a table with a few mills of records is not a good idea to have such scan.

Is there a way to handle "dynamic parameters" in a efficient way???

View 1 Replies View Related

Parameters Dependencies When Using Parameters!Name.Label

Mar 7, 2007

Hello:

I just recently bumped into this problem and I think I know what's causing it. This is the setup:

Report Parameters: FromDate, ToDate, DivisionalOffice, Manager, SalesRep

dsCalendarEvents Parameters: FromDate.Value, ToDate.Value, DivisionalOffice.Value,

dsDivisions Parameters: N/A

dsManager Parameters: DivisionalOffice.Value

dsSalesRep: DivisionalOffice.Label

When I query the ReportServices WS and scan the parameter dependencies for SalesRep it says there are four dependencies: FromDate, ToDate, DivisionalOffice and Manager!!!

If I change "dsSalesRep" to use "DivisionalOffice.Value" the ReportingServices WS parameter dependency scan returns only one dependency for "SalesRep" parameter!!!( This is the correct behavior )

Has anybody seen this behavior and more importantly, is there a work around?

Regards,

View 3 Replies View Related

Parameters.AddWithValue Vs. Parameters.Add

Jan 2, 2008

Hello all,
Given: 
string commandText = "Categories_Delete";SqlCommand myCommand = new SqlCommand(commandText, connection);myCommand.CommandType = CommandType.StoredProcedure;
   Is there a reason NOT to use myCommand.Parameters.AddWithValue("@CategoryID",CategoryID); I'd prefer to use that over  myCommand.Parameters.Add("@CategoryID", SqlDbType.Int, 4).Value = CategoryID; as I have these functions being created dynamically and hope to get away from a big lookup to try to convert System.Types into SqlDbTypes. [shudder]  
It seems that ADO.NET makes an implicit conversion to the valid type.  If this is correct then I can move on fat dumb and happy.  Anyone have any good insight?
Thanks,
 

View 11 Replies View Related

Uses Of Parameters

Sep 2, 2007

HI
Can someone explain me in detail when we use <asp:parameter>  and when we use <asp:controlparameter>
 

View 1 Replies View Related

SQL Parameters

Sep 6, 2007

Hello Dears
I Have an stored procedure like this :ALTER proc [dbo].[gl_voucher_type_insert]
@company_code varchar(3),@source_code varchar(4)
,@voucher_code varchar(4),@desc_a nvarchar(50)
,@desc_l nvarchar(50)
,@voucher_form numeric(2) ,@voucher_prefix varchar(4)
,@voucher_start numeric(8)=null
asDeclare @PrefixCount as int
set @PrefixCount=isnull((select count(*) from gl_voucher_type
where company_code=@company_code and
voucher_code=@voucher_code),0)
if @PrefixCount=0
begin
insert into gl_voucher_type(company_code,source_code,voucher_code,voucher_desc_a,voucher_desc_l,voucher_form,voucher_prefix,voucher_start)
values(@company_code,@source_code,@voucher_code,@desc_a,@desc_l,@voucher_form,@voucher_prefix,@voucher_start)
end
return @PrefixCount
 
ok i need  in my asp page get the @ prefixCount value to make some checking on it   how can i  do that
please help me as soon as possible
with my best regard
khalil T.Hamad

View 3 Replies View Related

Parameters In SP

Sep 27, 2007

CREATE PROC xxx
@user VARCHAR(15),
@rank varCHAR(10) AS
DECLARE @sql VARCHAR(100)
SET @sql = 'SELECT ' + @user + ' FROM usertable where grade = ' + @rank
EXEC (@sql)
GO
when i execute this proc without where condintion its working, but when i use where condition its dispalyin invalid column name with the name im passing
eg.
xxx admin,aB
WHEN I TRY TO EXECUTE PROC WITH ABOVE STAT, ITS DIAPLAYIN ERROR AS "INVALID COLUMN NAME ab
but
xxx admin," ' aB ' "
when i try like this its giving result.
how can i avoid second method of executin the proc and use first method for the sake of passing value from frontend

View 3 Replies View Related

Add Parameters

Jun 21, 2008

Hi,
The following code doesnt work. I am trying to get data from a
table according to a querystring. Id like the data in the columns
'hello' and 'hello2' to be meta name and content. But it says

The name 'hello' does not exist in the current context
 
 
        command.CommandText =
"SELECT hello, hello2 FROM table WHERE ID=@ID";       
command.Parameters.AddWithValue("@ID",
Request.QueryString["ID"]);       
command.ExecuteNonQuery();       
HtmlMeta meta = new HtmlMeta();       
meta.Name = "Description";       
meta.Content = "first" + hello;       
Page.Title = "first" + hello2;       
Header.Controls.Add(meta);

 
Thanks 

View 5 Replies View Related

Add Parameters

Jan 14, 2004

I need to add parameters to my SQL string, like Where [EndDate] >= @HStart AND [EndDate] <= @HEnd, I tried to Dim variables but it caused an error. Can anyone help me with this?

Thank You,

Sub BindDataCurrent()
Where [EndDate] >= @HStart AND [EndDate] <= @HEnd"
'MyCommand.Parameters.Add("@HStart", SqlDbType.VarChar, 80).Value = HistoryStartText.Text
'MyCommand.Parameters.Add("@HEnd", SqlDbType.VarChar, 80).Value = HistoryEndText.Text
ConnectStr = ConfigurationSettings.AppSettings("ConnectStr")
Dim MyConnection As SqlConnection = New SqlConnection(ConnectStr)
MyConnection = New SqlConnection(ConnectStr)

Dim SQL As String = "Select [Campaign_ID], [Campaign Type], [Campaign Date], [EndDate],[Comment] FROM tblCampaignTracking Where [EndDate] >= @HStart AND [EndDate] <= @HEnd"
Dim DA As SqlDataAdapter = New SqlDataAdapter(SQL, MyConnection)
Dim DS As New DataSet
DA.Fill(DS, "tblCampaigns")
MyEditDataGridCurrent.DataSource = DS.Tables("tblCampaigns").DefaultView
MyEditDataGridCurrent.DataBind()
End Sub

View 1 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved