Tuesday, 8 May 2012

The Basics Of Avoiding MySQL Injection Attacks In ASP.NET Web Forms

Received in my email today:

Hi

say your blog and thought you might help.

strsql = “SELECT StaffID, DesignationID, StaffName, Password, ShopID from staffT where StaffName =” & UserName.Text & ” AND Password =” & Password.Text & “”

from the string, the username.text and password.text are form controls. what is happening is there are passing null values regardless of what you input in the text boxes resulting in a system error.

“System Error Object reference not set to an instance of an object”

Am using Mysql as the database.

I’m always glad to answer such questions, especially when the questioner is flirting with disaster, as much as this questioner is.

A trained eye can immediately spot the problem with the SQL statement above, aside from the problem of NULL values tossing errors. Namely, it’s wide-open to SQL injection. (And an even keener eye will note that the values for user name and password aren’t delimited with single-quotes.)

So here’s my reply email to the questioner:
Continue reading: The Basics Of Avoiding MySQL Injection Attacks In ASP.NET Web Forms »

Monday, 7 May 2012

TEA Time: New England GiveCamp 2012 Recap

Last weekend I was in Cambridge, Mass. for New England GiveCamp 2012, the third of annual meet-ups that match technical and design people with nonprofit organizations that need their help.

Charles River Esplanade

The Charles River Esplanade is on the left. Hatch Memorial Shell and Teddy Ebersol's Red Sox Fields are in the foreground.

My cause was The Esplanade Association, an organization that cares for the Charles River Esplanade Park.

The Charles River Esplanade Park is the Boston-side green space along the river, from the Museum of Science to the Boston University Bridge. While it’s owned and managed by the state of Massachusetts, TEA (which has to be the coolest acronym possible for a Boston-based group) exists to organize people to help protect and care for the park.

Much of their work involves organizing volunteers to clean up the park several times each year. TEA also holds a number of programs in the park — yoga, Zumba, dances and the like — and runs several fund raising projects.

They came to GiveCamp, initially, looking for a way to better coordinate singing up groups and individuals for cleanup days.
Continue reading: TEA Time: New England GiveCamp 2012 Recap »

Wednesday, 11 April 2012

Getting All ZIP Codes In A Given Radius From A Known Point / ZIP Code Via ASP.NET

Some time ago I wrote a PHP-MySQL based solution to getting all ZIP Codes in a given radius from a known point / ZIP Code. I’ve long intended to do an ASP.NET version of that post, and here it is.

I won’t bother revisiting the mechanics in detail. I do urge you to read the post on the PHP version of this solution, at least to familiarize yourself with the mechanics of what I am doing and the compromises I’ve taken in coming up with this solution.

I will note the following for the “get to the point” types:

  • The first thing we need is to procure a geocoded database table of ZIP Codes. There are several out there; the one I am using is the ZIP Code Database project, available at Sourceforge. You’ll need to figure out how to get their CSV file into your SQL Server database; BULK INSERT is an option, or you can script it.
  • The basic method I am going to use is to create a square. Specifically, I am going to:
    • ask the end user for a starting ZIP Code, and a radius from that point from which he would like other ZIP Codes to come;
    • create a square by selecting points North, South, East and West at the given distance from the starting point; then
    • query the database for all points that fall within that square (or, in other words, all points with latitudes less than North, greater than South, less than East and greater than West).
  • I’m going to put my results in a GridView. However, you could easily just use a DataReader or DataTable to get the relevant records and do with them as you like.
  • The formulas I am using to compute longitude and latitude coordinates come from moveabletype.co.uk.

Continue reading: Getting All ZIP Codes In A Given Radius From A Known Point / ZIP Code Via ASP.NET »

Friday, 6 April 2012

How To Increment A Counter In MySQL Based On A Radio Button Click

Asked recently on Formspring:

how to increment count in database on clicking radio button

There are a few ways to go about this. I’ll demonstrate two: a traditional, PHP / MySQL only, postback approach, and a jQuery version that uses AJAX to asynchronously record and update the counts.

Just to be clear: In order to complete this solution, we have to use both JavaScript and a server-side scripting language. We use JavaScript to intercept the user clicking the radio button, but process the fact that the button was clicked on the server.

Also, for the purpose of this tutorial, I’ll assume that the radio button involved is part of a group. That is, we have several radio buttons, all with the same name, but different values, e.g.:

<form id="myform" name="myform" method="post">
	<p>Select a color:</p>
	<label id="l_red"><input type="radio" id="r_red" name="color_name" value="red" />Red</label> (<label id="c_red">0</label>) |
	<label id="l_green"><input type="radio" id="r_green" name="color_name" value="green" />Green</label> (<label id="c_green">0</label>) |
	<label id="l_blue"><input type="radio" id="r_blue" name="color_name" value="blue" />Blue</label> (<label id="c_blue">0</label>) |
	<label id="l_black"><input type="radio" id="r_black" name="color_name" value="black" />Black</label> (<label id="c_black">0</label>)
</form>

Continue reading: How To Increment A Counter In MySQL Based On A Radio Button Click »

Friday, 16 March 2012

Making A Simple WordPress Shortcode Plugin

If you’ve been reading this blog for any length of time, you’ve noticed my penchant for asides — brief digressions in which I explain a term, offer advice, or explain why I’m doing something a certain way.

Until yesterday, I was doing that via raw HTML, by adding a div tag and assigning it to the CSS class “aside,” which is defined in my theme’s style.css file:

<div class="aside">This content will appear as an aside.</div>

And that makes the text above look like this:

This content will appear as an aside.

Well, I’m just as lazy as the next guy, and just as careless, too. So sometimes I was forgetting to close that div, or was misspelling it, or otherwise making a general mess by typing a simple div tag.

Which got me to thinking: Why not make a WordPress shortcode plugin, to abbreviate and simplify this repetitive task?

Making your own shortcode is an excellent way to learn the basics of writing WordPress plugins. And once you get the hang of it, you’ll find WordPress plugin authoring isn’t all that hard to do, yet will make you infinitely more marketable as a Web developer.
Continue reading: Making A Simple WordPress Shortcode Plugin »