Hello guys I wanted to ask a few things because I want to upgrade my log in security . First of all this is how my log in security looks like atm -
Sql query compares the user input ( pass / name / id ) to my data base and if its correct he gets 2 values and redirected to the main restricted page. one of the values is a random value from a function that stores a limited amount of such values ( each time it picks a random 1 and returns it to the user upon successfull log in ) , and the other value is 1 of the input fields ( like company ID for example )
both of those stored in sessions ( hopefully its not an easy to gain the data stored in those from a hacker? ) and on each of the restricted pages, i use on the page load event 2 terms :
Session ( "the ID" ) <> ""
isLegit ( session ( "the random code" ) <> "false"
I am still learning about security and i guess my current method is bad?
And thats where my second question comes to play , i been reading about microsoft's memebership and wanted to use some of the stuff included , but even after reading about how it works i find myself failing to implant it on my site .
I got pretty long register form and well the site designed in some way, and if i try putting the log in controls from visual studio i cant get them to look like part of the page.
I read that there is a way to keep my site as it is and to use
FormsAuthentication.RedirectFromLoginPage("test", false);
to force membership or something of this sort?
Is such a thing possiblr without having to use the log in tools and storing additional log in data ( beside what i have on my sql data base )?
p.s I am using asp.net with vb on visual studio with MS sql server
Take a look at these articles:
Introduction to Membership http://msdn.microsoft.com/en-us/library/yh26yfzy(v=vs.100).aspx
Sample Membership Provider Implementation http://msdn.microsoft.com/en-us/library/44w5aswa(v=vs.100).aspx
Introduction to Membership http://msdn.microsoft.com/en-us/library/tw292whz(v=vs.100).aspx
If you are willing to create another table that would hold the user information it should be really straight-forward, works out of the box.
You would need to take out the checks you have in the code, though.
Related
I have a project which contains Company and Agency users.
I have a problem while I'm trying to show their data. For example: the agency can see other agency's data if they change's the value on the web browser searchbar. I want to block that vulnerability but I don't know how to do that.
I will be doing that first time so, thanks for any suggestions!
As I Understood from you in the comments the Term SearchBar
you mean by it , the URL place in the browser.
As my best answer would be to add a Guid in the Company Model and map it to a uniqueidentifier in the sql server database, and when the value is inserted you generate a uniqueidentifier for this company.
then you start getting the company by that object key
so that final product will be something like this :
http:///companyinfo?id=DE653F58-AB12-43F9-95CD-A7C3A856340A
I've got a table which was set up wrong ( as an application table, but a maintanence view was created ) but it should be an customizing table, so that we are able to transport the entries of the table.
So far I changed the type and maintainablity of the table, now it is type C ( Customizing ) and changes can be made without restrictions. I've also changed in the technical settings the type to APPL2, so it is a customizing-table. After those changes I've deleted the original table maintanence generator view and generated a new one.
My problem is, that when I save my new / changed entries in sm30, I won't get asked for a transport request and the option to put them into the transport request in sm30 ( via the menue ) is not available. It is outgreyed.
How can I change my table / what do I need to do, that I am able to transport my customizing entries?
In the Table-Maintenance-Generator there is an option called "Standard recording routine" which needs to be selected.
of course credits go to #JózsefSzikszai who gave the answer in the comments :)
Just follow these steps:
More->Utilities->Table Maintenance Generator.
Under Dialog Data Transport Details select "Standard recording routine"
We're using the REST API in the sandbox environment. I've uploaded my investment accounts into the first test username that was provided using FastLink.
When I run 'getItemSummariesWithoutItemData' in TestDrive I get all the investment accounts as expected. When I repeat the same query using Python I only get back 2 items : Dagbank and DagCreditcard.
Similarly when I retrieve data using 'getItemSummaryForItem1' and a non-DAG itemId in TestDrive, i get data as expected. When I use the same query from python, i get key={}.
Any idea why this is happening?
This should not happen until and unless you are using two different user logins. Please cross check your code.
I have this little project that I'm working and I got to a part where I want to do something specific but can't seem to figure out a solution that works. Basically I've created a Web Service in Visual Studio that is used for a mobile app and we wanted to add a new piece of functionality that allows the retrieval of clients from multiple users. To do this I need to be able to pass an array of values to a WHERE IN clause, which I've been finding out is pretty much not possible but the other solutions I've read (that have no real example of the process) is to create a table of the Array values and then to a WHERE IN (SELECT * from TEMPTABLE) type of scenario.
So this is where I'm stuck, how do I go about passing an array of values to my SQL statement that will then create a temp table of those values (can range from 1 to 30 values) so then I can run other queries against those values. Most of the examples I've seen have the temp table hard coded with values, but I need to be able to pass an random amount of values for that table, so if it's easier to pass them as one single string with commas is fine or if they need to be passed in a specific format I can do that as well on the iOS side before calling the Web Service, I just can't seem to figure out how to do this dynamic type of table to move on to the next portion.
EDIT (Adding some information based on Comment)
So some background information on the system and purpose to help get a better understanding of what I'm doing. The Database is a SQL Server (2008) with already existing tables and data since what I'm working on is a Mobile Application port of an existing Web Application. Two tables that I can use for example are an Agent table (for employees) and a Customer Table (for their client) and so in some cases we have Teams that can view each other's clients. So normally if I wanted to pull a list of clients from a group of agents I would use the WHERE IN statement, but for the Web Service it would need to take that group as a Variable since the Rep may want to see only a few team members or all team members (this would be an option set in the iOS App).
I don't really have code that works, and most of what I have tried I know doesn't really work so I'll put some pseudo code to explain what I want to do. At first I thought I could just do this:
SELECT C.first_name + ' ' + C.last_name as [Client Name]
FROM dbo.agent as A INNER JOIN
dbo.contact as C ON C.agent_id = A.id
WHERE (A.id IN (#RepList))
In this example, #RepList would be a string passed from the iOS App to the Web Service that contained all the ID's that were selected within the Application. As I've looked into this, I can't have a variable in a WHERE IN statement but I've read that if I create a Temp Table with the variables then I could reference it like this:
CREATE TABLE #TempTable (TempID VARCHAR(MAX))
INSERT INTO #TempTable (TempID)
VALUES (#RepList)
SELECT C.first_name + ' ' + C.last_name AS [Client Name]
FROM dbo.agent AS A INNER JOIN
dbo.contact AS C ON A.id = C.agent_id
WHERE (A.id IN (SELECT #TempTable.* FROM #TempTable))
So again, #RepList would be the list of ID's that are passed from the iOS Application over to the Web Service that will run this query. This is where I'm stuck, since I can't seem to figure out how I can pass a list of values as a Variable into the TempTable. This may end up just being an issue in Visual Studio (since I've had issues with the SQL Query Designer and it not accepting certain things that end up working in the WebService) but I want to be sure this is the right format of doing so before moving forward. In the end, the WebService needs to be able to return a list of Clients based on however many Agents the person wants to see (this can range from just 1 agent to 20 agents).
Since you are on SQL Server 2008 and VS2010, probably the best solution is to use a Table-Valued parameter. This link (here) describes how to use them from a .Net client.
The basic idea is, your webservice code will call a procedure, function or parametized query on SQL Server, where one of the parameters is a table of values. Then the SQL code will use that table-valued parameter as its source matching table instead of a temporary table.
Ok. Here is some background: I have created a simple APEX application that is going to replace a handful of static HTML pages, an Access Database, and LOTS of manual work. Users use the application to submit work requests to my team and upon submission of the form the information is presented back to them in a 'receipt' with a new 'Request #' which they can use kind of like a UPS tracking number to make inquiries of their project. This number is the primary key of the submitted table and is auto-incremented by a sequence. This all works perfectly so far.
My problem is that for auto-incrementing to work, my PK obviously has to be a 'Number'. Again not really a problem. The issue is that prior to migrating to the APEX tool our 'Request #s' were formatted as a string of numbers 8 digits long with the necessary number of zeros (0's) to the left of the actual number. So Request # 789 is actually stored as 00000789 in our Access database. My boss has indicated that this same format needs to be mimicked when the # is displayed in the APEX tool as well since that is what our clients are used to seeing.
I need the Request # to continue to be stored as a Number so that I can continue to auto-increment but I need to find some way to append/concatenate the appropriate number of 0's to the front of the number when it is displayed. This is will likely need to be done with SQL. I am currently using this simple SQL script to display the #:
SELECT req_num
FROM proj_apex
WHERE req_num = (SELECT MAX(req_num) FROM proj_apex)
Thoughts? Any APEX or SQL developers have ideas?
select to_char(req_num, '00000009') ...
http://www.techonthenet.com/oracle/functions/to_char.php