Sub Read()
Using connection As New SqlConnection(ConfigurationManager.ConnectionStrings("LocalSqlServer").ToString())
Const queryString As String = "SELECT Name from Users where SAPID = @SAPID"
Dim command As New SqlCommand(queryString, connection)
Dim parUsername As New SqlParameter("@SAPID", SqlDbType.VarChar, 20)
parUsername.Value = TextBox1.Text
command.Parameters.Add(parUsername)
command.Connection.Open()
Using reader As SqlDataReader = command.ExecuteReader(CommandBehavior.CloseConnection)
' Call Read before accessing data.
If reader.HasRows Then
While reader.Read()
Label1.Text = reader("Name")
End While
End If
End Using
End Using
End Sub
The connection string in the web.config file is encrypted using RSA with a Machine-Level Key Container.<connectionStrings>
<add name="LocalSqlServer"
connectionString=";Database=;User ID=;Password=;Trusted_Connection=False;"/>
</connectionStrings>
Can someone tell me whey the SQL statement above is Vulnerable.Using connection As New SqlConnection(ConfigurationManager.ConnectionStrings("LocalSqlServer").ToString())
Thanks.
<configuration>
<connectionStrings>
<add name="conStr"
connectionString="Persist Security Info=False;User ID=AAAAAAA;Password=*******;Initial Catalog=XXXXXXX;Server=ZZZZZZZZZ" />
</connectionStrings>
<system.web>
<authentication mode="Windows"/>
<roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>
<authorization>
<allow roles="Domain\Group"/>
<deny users="?"/>
<deny users="*"/>
</authorization>
<customErrors mode="Off"/>
</system.web>
After Encrypting.<configuration>
<configProtectedData>
<providers>
<!-- contents -->
</providers>
</configProtectedData>
<connectionStrings configProtectionProvider="CustomProvider">
<EncryptedData>
<!-- encrypted contents -->
</EncryptedData>
</connectionStrings>
I then create a class file "Connections.vb" to create the connection.Imports System.Configuration
Imports System.Data.SqlClient
Public Class Connections
Shared sqlClient As String = ConfigurationManager.ConnectionStrings("conStr").ConnectionString
Shared sqlConn As String = Nothing
Shared builderStr As SqlConnectionStringBuilder = Nothing
Shared connStr As SqlConnection = Nothing
Public Shared Function [get]() As SqlConnection
If sqlConn Is Nothing Then
sqlConn = sqlClient
builderStr = New SqlConnectionStringBuilder(sqlConn.ToString) -- line 22
connStr = New SqlConnection(builderStr.ConnectionString) -- line 23
End If
Return connStr
End Function
End Class
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Const sqlQuery As String = "select * from users"
Using command As New SqlCommand(sqlQuery, Connections.[get]())
Connections.get.Open()
Dim sqlda As New SqlDataAdapter(command)
Dim ds As New DataSet()
sqlda.SelectCommand = command
sqlda.Fill(ds, "users")
GridView1.DataSource = ds
GridView1.DataMember = "users"
GridView1.DataBind()
End Using
End Sub
I end up with the same problem, i went again and did some searching and i noticed that The ConnectionStringBuilder class allows you to parse the individual elements of a connection string and put them into the corresponding properties in the ConnectionStringBuilder. The ConnectionStringBuilder will then break it into the appropriate properties.Sub CreateConnectionString()
Dim builder As New SqlConnectionStringBuilder
builder.DataSource = "(local)"
builder.InitialCatalog = "Northwind"
builder.UserID = "user1"
builder.Password = "P@ssw0rd"
End Sub
Can someone help me on how to pass the connection from the config file and use a class in order to call it in every page after extracting its appropriate properties.
''; select * from users