Now I’ll talking about a technique that script kiddies widely used to attack to the first wall of your application. If you’re a rookie for security topics on development then you may never heard about this before. In my .NET courses training experiences, most of my trainees never know about this issue before and they feel very surprises when I’ve hacked into their system in no time.

What is SQL injection?

Straightly, It’s something like you try to inject some unexpected characters into SQL querying process to gain the out-of-case result.

Let’s see it in more detail!

What should you do If you want to coding your application to authenticate user’s credential that kept in database?

So easy, right? I’m just querying the result from database with this simple SQL query and a few line of code.

Dim strSQL As String = “Select COUNT(*) From Members WHERE LoginName=’” & txtLoginName.Text & “‘ AND Password=’” & txtPassword.Text & “‘”

Dim cmd As New SqlCommand(strSQL, con)

cmd.ExecuteScalar()

It works perfectly! but how the it’ll handle if a hard core user input something unexpected into login name just like the following

xyz’ OR ’1′=’1

When it concatenate into SQL string. It’ll result in to…

Select COUNT(*) From Members
WHERE LoginName=’xyz’ OR ’1′=’1‘ AND Password=’1234‘

Yeah, you can see that OR ’1′=’1′ which always result in TRUE. So, the hard core user can authenticate to the application without knowing of any user’s login name or password.

How can I prevent SQL injection?

Yeah, it’s very easy to do. Just use the technique named as “Parameterized Query”.

OMG! What’s about it? I never heard about those “Parameterized Query”.
You get me in trouble again!

Not that serious, It’s very easy to implement this technique as .NET alraedy provide the framework for you. Just do the following two steps.

1. When you want to create the dynamic SQL query string just like this case. You should use parameter instead of concatenate the variables yourself.

Select COUNT(*) From Members WHERE LoginName=@LoginName AND Password=@Pwd

We call @LoginName and @Pwd as parameter.

2. Before executing the command. Please specify the value for each parameter first.

cmd.Parameters.AddWithValue(“@LoginName“, txtLoginName.Text)

cmd.Parameters.AddWithValue(“@Pwd“, txtPassword.Text)

cmd.ExecuteScalar()

When the command was executed. All parameters will be transformed into the value that suitable for the data type of those database. The good things you get here is that. For string (varchar) data type, generally it should open and close with single quote ” ‘ “. (You can see this code of the first code block) But not for parameterized query, as it will do automatically internal. So, you don’t have to pay your attention to those data type symbol for each database. (Especially datetime data type) and another point, the generated SQL query will never been attacked by SQL injection anymore as it know now how to handle those type of technique.

This is all about that!

For more information about SQL injection, please visit here.

This is my first post on blog about Microsoft .NET development. So, let me say a little sorry about my bad English.
Let’s go to those day that C/C++ language dominating Visual Basic all the time. If I can remember it takes more than ten years now since Visual Basic for DOS (1.0). In this blog I’ll show the various perspective and conclude about these two languages of choices for developer to be chosen for Microsoft .NET development.

Let’s take a look after them!

Comparison begin, who will win?

For Visual Basic, this language had dominated the development community due to it’s ease of use, short learning curve, rich GUI(s) and many more reasons. As It’s really easy for people to learn and begin programming in no time!
Personally, I’ve used Visual Basic since version 3.0. In those time it still using 3.5″ diskettes for setup. The first time I try it, I’m wondering how they can made GUI programming very easy. But I never use it in any commercial applications as those time the application built from Visual Basic is so slow when comparing to any C++ based compiler. So, I’m sticking with Borland C++ and Visual C++. A few years quickly passed, I’ve a chance to try Visual Basic again but now for 5.0. It had been improved so much! Very impresses to me. However, Its performance still generate the reason that I should not use it cause of it’s so slow when comparing to C++ based. But that time I’m really think that its WYSIWYG is very good and will increase my productivity significantly. So, I decide to learn it in a little deep details. At last, I still consider to stick with C++ based as the speed really made me sick about it. But now I’m finding some tools that has a cool WYSIWYG but based on C++. So, now I got a really cool tools. Borland C++ Builder.
I used Borland C++ Builder instead of Microsoft Visual C++ with MFC for a couple of years until what Microsoft said it’ll be the next generation of software development platform named Microsoft .NET. So, now I got a chance to try again on Visual Basic. Now in version 7.0 aka VB.NET. When compared to C++ application with Win32API it still slow in nature. But the productivity was very high now for .NET. So, I use just a few days to decide to go on .NET platform instead of any Win32API or J2EE platform and using both C# and VB.NET until today.
In my experiences regards on both languages. VB.NET has higher productivity in means of a few line of code and less task effort when developing than C#. So, I call it higher productivity. C# also high productivity but in my opinion, VB.NET is better on this topic. But there are somethings you should know about VB.NET and C# when comparison is begin. I written below as one-by-one…

Performance
No one win! as it’ll produce the same output as based on Microsoft CLR. (Common Language Runtime) So, who think that C# will take ahead from VB.NET on performance. It does not!

Number of line
In my experiences, VB.NET may written less number of line in the same task but in most case It should be equal as they using the same class library.

3rd party components
Equality.

3rd party tools
C# is better as some refactoring/intellisense tools support only for C#.

OOP
Now both of them is fully OOP. In .NET 1.1, VB.NET can’t do operator overloading but in .NET 2.0, it fully support!

My personal conclusion
For my experiences, I preferred VB.NET on small to medium scale of project but C# for large. As on the internet community, I found many C# developers was better than VB.NET. I should not be 100% but for my idea. I think that VB.NET is easies for learning. So, VB.NET may not clearly understand much about architecture and programming logic. But in case of C#, it may not that case as It’s a long time well structured from the past.
At last, it up to you and the application will produce a good or bad result will be based on your understanding of problem domain, solution and your logic. So, don’t bother much about languages!

Clearly no winner between VB.NET and C# but Microsoft!