We decided to use the registry for handling our deployment with connection strings in our VB.net application.
The requirements are:
If the program cannot connect to the server, first check the registry for a connection string. IF not, create the folder and fill in the name, type, and data.
Make sure its encrypted.
I have never edited or created anything in the registry. Where do I start? If anybody has any code samples or links to articles I would really appreciate it.
It looks like this tutorial would be a good source for the problem. I would strongly recommend against storing the connection string in the registry. It adds more work and more dependencies on the current operating environment. Additionally, configuration files are more portable and are better suited for storing property related information. If you use a settings file the supporting admins and your support people will thank you. [Compared to placing the information in the registry.
Totally agree with Steven here, but if you have to do it...here is some info From MSDN (link to all you need to know at the bottom). The following example reads, increments, and then writes a DWORD value to HKCU:
Imports Microsoft.Win32
Dim regVersion As RegistryKey
regVersion =
Registry.CurrentUser.OpenSubKey("SOFTWARE\\Microsoft\\TestApp\\1.0", True)
If regVersion Is Nothing Then
' Key doesn't exist; create it.
regVersion =
Registry.CurrentUser.CreateSubKey("SOFTWARE\\Microsoft\\TestApp\\1.0")
End If
Dim intVersion As Integer = 0
If (Not regVersion Is Nothing) Then
intVersion = regVersion.GetValue("Version", 0)
intVersion = intVersion + 1
regVersion.SetValue("Version", intVersion)
regVersion.Close()
End If
http://msdn.microsoft.com/en-us/library/aa289494%28VS.71%29.aspx
Related
I ran IBM AppScan tool on a VB.Net source.I am getting one security issue in File.Copy method under Path Traversal category.
Issue Detail -
Vulnerability Type - PathTraversal
This API accepts a directory, a filename, or both. If user supplied data is used to create the file path, the path can be manipulated to point to directories and files which should not be allowed access or which may contain malicious data or code.
How can i fix this issue?
Imports System.Web.Security.AntiXss
Private Function ProcessFile() As Boolean
Dim drive As String = String.Empty
Dim folder As String = String.Empty
Dim filename As String = String.Empty
Dim sourcePath As String = String.Empty
Dim destinationPath As String = String.Empty
drive = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Drive").ToString()))
folder = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("Folder").ToString()))
filename = AntiXssEncoder.XmlEncode(String.Format("{0}", System.Configuration.ConfigurationManager.AppSettings("File").ToString()))
sourcePath = Path.Combine(drive, folder, filename)
destinationPath = Path.Combine(drive, folder, "text2.txt")
Try
If sourcePath.IndexOfAny(Path.GetInvalidPathChars()) = -1 AndAlso destinationPath.IndexOfAny(Path.GetInvalidPathChars()) = -1 Then
File.Copy(sourcePath, destinationPath, True)
Return True
Else
Return False
End If
Catch ex As Exception
Return False
End Try
End Function
It's probably considering AppSettings to be untrusted user input (I've seen AppScan Source do similar with config on a Java project), so it's complaining that you're making a path with untrusted input that could have separators in.
If any of drive, folder and filename did come from untrusted this would definitely be a problem. Assuming however that your config is only accessible to trusted administrators this is nothing. It's pretty stupid that config is treated as an unchecked source, but then taint tracking tools are pretty stupid in general.
The handling of filenames here is rather wacky. It seems very unlikely that XML-encoding filenames before using them is a good idea; the ToString and Format steps are entirely superfluous; and checking the whole path for ‘invalid’ characters doesn't protect against injection from an individual part anyway. Is this stuff an attempt to work around AppScan? The InvalidPathChars check wouldn't help as it doesn't directly encode/validate and return the tainted value, and the XmlEncode would only help if that function were explicitly marked as a validation/encoding function.
It's sad to make code more broken in an attempt to satisfy a blunt instrument of a static analyser. Could you perhaps add a function to be used as a wrapper on AppSettings values and tell AppScan it is a validation/encoding function, so it doesn't think the values are tainted? Or just ignore/silence the bogus warning?
System.Configuration.ConfigurationManager.AppSettings can be considered as a safe source, you can just exclude the findings so it won't come up again.
On the other hand, this code can be considered as having poor secure coding practice. If you replace "System.Configuration.ConfigurationManager.AppSettings" with something like a web UI input, then the end user has control over the value of "folder" "drive" and "filename", this then becomes a serious path traversal issue.
I want to change my computer's system registry value via vb.net
Dim regKey As RegistryKey
regKey = Registry.LocalMachine.OpenSubKey("SOFTWARE\Microsoft\Ole", True)
regKey.SetValue("EnableDCOM", "Y")
regKey.Close()
I've tried the above, however it gives no error but it simply doesn't change the value...
I hardly use VB, but I believe the below is the correct approach.
Dim autoshell = My.Computer.Registry.LocalMachine.OpenSubKey("Software\Microsoft\Windows NT\CurrentVersion\Winlogon", True)
'' Set the value to 0
autoshell.SetValue("autorestartshell", 0)
autoshell.Close()
If you experience errors, you need to check that:
You have permissions to read/write to the registry.
The subkey you are trying to change actually exists.
You should also consult the MSDN VB Documentation.
I need to return the ip connection data of an ODBC Mysql connection
to visually verify that I am connected successfully to the right database on the correct server using VB.net.
In VB6 I used to parse the ADOX.Catalog.ActiveConnection string but that
does not work in VB.net. No string is returned.
What is the method now used to obtain the IP of a successful ODBC connection?
Searching the ObjectBrowser and MSDN is not helpful in this regard.
not an answer - but more problems
The answer below looked like a drop dead easy way to do it.wish it was this easy.I have been bogged down for hours trying to get the DNS resolved - and running into socket errors on windows7 in the resolve code.
poking about I have come across this MSDN code which is a direct approach from ADOX. However it will not compile as it chokes on compiling ConnectionStringSettings protesting that it is not defined even though it is a member of the System.Net.Configuration assembly. What is wrong with the ADOX syntax.
and I used to think vb coding was easier than java! One would have thought MSDN would have given examples of code that compiled.
Imports System.Net
Private Shared Function GetConnectionStringByName(ByVal name As String) As String
GetConnectionStringByName = "OK"
' Assume failure
Dim returnValue As String = Nothing
' Look for the name in the connectionStrings section.
Dim settings As ConnectionStringSettings = ConfigurationManager.ConnectionStrings("MySql")
' If found, return the connection string.
If Not settings Is Nothing Then
returnValue = settings.ConnectionString()
End If
' Return returnValue
End Function
You can execute the sql query,
SHOW VARIABLES LIKE 'hostname'
This will return the hostname of the MySQL server. You can easily resolve the IP from the host name using Dns.Resolve
References:
13.7.5.41 SHOW VARIABLES
Syntax
5.1.4 Server System
Variables
We have created a workflow process as an SSIS package and would like to find a way of gaining access to this code so that through vb.net we can dynamically access and run that code. For example, we would like to change the data sources being used, or change the column mappings of existing packages and then execute them from a vb.net application. Please advise the best way to do this.
You will find some of your tasks easy, others not so much.
Generally speaking, you'll be interested in reading the Developers Guide to Integration Services. Of particular interest will be Building Packages Programmatically and Running and Managing Packages Programmatically.
For example, to run a package from VB.NET
Imports Microsoft.SqlServer.Dts.Runtime
Module Module1
Sub Main()
Dim pkgLocation As String
Dim pkg As New Package
Dim app As New Application
Dim pkgResults As DTSExecResult
pkgLocation = _
"C:\Program Files\Microsoft SQL Server\100\Samples\Integration Services" & _
"\Package Samples\CalculatedColumns Sample\CalculatedColumns\CalculatedColumns.dtsx"
pkg = app.LoadPackage(pkgLocation, Nothing)
pkgResults = pkg.Execute()
Console.WriteLine(pkgResults.ToString())
Console.ReadKey()
End Sub
End Module
To change the connection manager programmatically, it'd be the VB.NET equivalent of
ConnectionManager item = ep.Connections["MyConnectionManagerName"]
item.ConnectionString = #"Provider=SQLNCLI10.1;Data Source=Server1;Initial Catalog=ABC;Integrated Security=SSPI;";
Changing column mappings, that's where it's going to get interesting, for all definitions of the word interesting. I'm have a distilled example but it takes some work and you'll want to really understand the whole object model (and I hope you like COM). EzAPI might be of some assistance in that area.
I know the default install path of the app and the name of the .exe file, but is there a way to see if it is actually installed?
I've seen suggestions for checking registry entries, but I don't know if this app uses any or if if varies for different users on different pc's.
Many of the registy entries have no default values set. I prefer not to dive too deep and have to rely on a value for the font setting.
I'd like to know if "App_Name" exists. I can't rely on it having a default value because it never does. Since I'm using .GetValueKind, I don't have to worry about "AboutSiteUR" having any value set assuming if it has a type it actually exists. Otherwise, I'm assuming the Try/Catch will trap the IO.IORegistry type error (I'm not sure about that one.).
Dim sDisplay_Reg_Value As String
Dim Everest_Registry As Microsoft.Win32.RegistryKey = _
My.Computer.Registry.CurrentUser.OpenSubKey("Software\Company_Name\App_Name")
Try
sDisplay_Reg_Value = CType(Everest_Registry.GetValueKind("AboutSiteUR"), String)
'If the key does not exist Everest_Registry will contain Nothing, otherwise the returned key will be populated. Try this:
Dim Everest_Registry As Microsoft.Win32.RegistryKey = _
My.Computer.Registry.CurrentUser.OpenSubKey("Software\Microsoft\Internet Explorer")
If Everest_Registry Is Nothing Then
'key does not exist
MsgBox("Key does not exist")
Else
'key is valid, display actual name
MsgBox(Everest_Registry.Name)
End If
Does the application show up in the "Add/Remove programs" control panel? If yes, then there are definitely some registry entries you can look at that would not vary by user.
use regedit.exe to search the subkeys of CLSIDs key, if the application folder appears in any of the subkeys, then this also would be something that doesn't vary by user.
Or your could ask them. I used to work for a company that made software you could buy at Best Buy, etc. In their software, there was a specific registry key that each application created so that all of their apps could find each other.