Results 1 to 16 of 16

Thread: what method is secure to insert and update into database ?

  1. #1

    Thread Starter
    Lively Member
    Join Date
    May 2017
    Posts
    75

    what method is secure to insert and update into database ?

    i'm using access database
    this my code to insert :
    Code:
    sql = "insert into customer([nid_c],[name_customer]" & "values(?,?)"
    cmd = New OleDbCommand(sql, conn)
    With cmd.Parameters
              .Add(New OleDbParameter("@nid_c", CType(cusnid.Text, String)))
              .Add(New OleDbParameter("@name_customer", CType(cusname.Text, String)))
    End With
    this my code to update :
    Code:
    sql = "update customer set name_customer=? where nid_c = '" & cusnid.Text & "'"
    cmd = New OleDbCommand(sql, conn)
    With cmd.Parameters
              .Add(New OleDbParameter("@nama_customer", CType(cusnama.Text, String)))
    End With
    is secure to avoid sql injection ?
    Last edited by khabib28; Sep 8th, 2017 at 01:28 AM.

  2. #2
    PowerPoster make me rain's Avatar
    Join Date
    Sep 2008
    Location
    india/Hubli
    Posts
    2,208

    Re: what method is secure to insert and update into database ?

    Definitely your method used is correct
    https://technet.microsoft.com/en-us/...=sql.105).aspx
    The averted nuclear war
    My notes:

    PrOtect your PC. MSDN Functions .OOP LINUX forum
    .LINQ LINQ videous
    If some one helps you please rate them with out fail , forum doesn't expects any thing other than this

  3. #3

    Thread Starter
    Lively Member
    Join Date
    May 2017
    Posts
    75

    Re: what method is secure to insert and update into database ?

    Quote Originally Posted by make me rain View Post
    Definitely your method used is correct
    https://technet.microsoft.com/en-us/...=sql.105).aspx
    that means my method is secure..
    and how to hash password and then save to database ?

  4. #4
    PowerPoster make me rain's Avatar
    Join Date
    Sep 2008
    Location
    india/Hubli
    Posts
    2,208

    Re: what method is secure to insert and update into database ?

    Quote Originally Posted by khabib28 View Post
    that means my method is secure..
    and how to hash password and then save to database ?
    Why you are saving database password in database ?, leave it to database to do it's job , you just create users
    The averted nuclear war
    My notes:

    PrOtect your PC. MSDN Functions .OOP LINUX forum
    .LINQ LINQ videous
    If some one helps you please rate them with out fail , forum doesn't expects any thing other than this

  5. #5
    PowerPoster
    Join Date
    Jun 2015
    Posts
    2,224

    Re: what method is secure to insert and update into database ?

    you never store a password in the database. you store a 1 way hash of the salted password, and the random salt. that way if your database is ever compromised, the passwords can not be recovered (except by brute-force).

    to save the salt+hash:
    1) get the password from the user
    2) create a random salt and combines it with the pw
    3) perform the 1-way hash on the salted pw
    4) store the salt, and the hash to the database

    to verify a password during login:
    1) get the password from the user
    2) combines it with the salt stored in the database
    3) perform the 1-way hash on the salted pw
    4) compare this result to the pw hash stored in the database
    Last edited by DEXWERX; Sep 8th, 2017 at 11:27 AM.

  6. #6

    Thread Starter
    Lively Member
    Join Date
    May 2017
    Posts
    75

    Re: what method is secure to insert and update into database ?

    Quote Originally Posted by DEXWERX View Post
    you never store a password in the database. you store a 1 way hash of the salted password, and the random salt. that way if your database is ever compromised, the passwords can not be recovered.

    to save the salt+hash:
    1) get the password from the user
    2) create a random salt and combines it with the pw
    3) perform the 1-way hash on the salted pw
    4) store the salt, and the hash to the database

    to verify a password during login:
    1) get the password from the user
    2) combines it with the salt stored in the database
    3) perform the 1-way hash on the salted pw
    4) compare this result to the pw hash stored in the database
    can you show the code or give me link contain code about salt+hash

  7. #7

    Thread Starter
    Lively Member
    Join Date
    May 2017
    Posts
    75

    Re: what method is secure to insert and update into database ?

    Quote Originally Posted by make me rain View Post
    Why you are saving database password in database ?, leave it to database to do it's job , you just create users
    not database password but admin password ,, i want save it to database but with hash method for secure reason

  8. #8
    PowerPoster
    Join Date
    Jun 2015
    Posts
    2,224

    Re: what method is secure to insert and update into database ?

    .NET procedure tutorial --> http://www.visual-basic-tutorials.co...sual-basic.htm

    Hashing functions for VBA --> https://en.wikibooks.org/wiki/Visual...Hashing_in_VBA

    VB6 Cryptographic secure Random for generating the salt.
    from here -->http://www.vbforums.com/showthread.p...erator-for-VB6

    you'll have to update the declare for VBA / 64bit VBA
    Code:
    Private Declare Function RtlGenRandom Lib "AdvAPI32" Alias "SystemFunction036" ( _
        ByVal pRandomBuffer As Long, _
        ByVal RandomBufferLength As Long) As Long
    
    Private Function Rand(ByVal Min As Long, ByVal Max As Long) As Long
        If RtlGenRandom(VarPtr(Rand), 4) Then
            Rand = Abs(Rand) Mod (Max - Min + 1) + Min
        Else
            Err.Raise 51 'Internal error, for lack of a more specific exception.
        End If
    End Function
    Last edited by DEXWERX; Sep 8th, 2017 at 10:43 AM.

  9. #9
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    110,302

    Re: what method is secure to insert and update into database ?

    Quote Originally Posted by khabib28 View Post
    can you show the code or give me link contain code about salt+hash
    What's stopping you from searching for some for yourself?

  10. #10

    Thread Starter
    Lively Member
    Join Date
    May 2017
    Posts
    75

    Re: what method is secure to insert and update into database ?

    Quote Originally Posted by jmcilhinney View Post
    What's stopping you from searching for some for yourself?
    i need more reference...

  11. #11
    Super Moderator jmcilhinney's Avatar
    Join Date
    May 2005
    Location
    Sydney, Australia
    Posts
    110,302

    Re: what method is secure to insert and update into database ?

    Quote Originally Posted by khabib28 View Post
    i need more reference...
    Yeah, so search for some. If you think you can write software then you should be able to search the web. Why haven't you just typed "vb.net hash password" or the like into Google?

  12. #12

    Thread Starter
    Lively Member
    Join Date
    May 2017
    Posts
    75

    Re: what method is secure to insert and update into database ?

    Quote Originally Posted by jmcilhinney View Post
    Yeah, so search for some. If you think you can write software then you should be able to search the web. Why haven't you just typed "vb.net hash password" or the like into Google?
    i know that u want ..
    search first if stuck then ask here..
    i'm so sorry ..

  13. #13

    Thread Starter
    Lively Member
    Join Date
    May 2017
    Posts
    75

    Re: what method is secure to insert and update into database ?

    Quote Originally Posted by DEXWERX View Post
    .NET procedure tutorial --> http://www.visual-basic-tutorials.co...sual-basic.htm

    Hashing functions for VBA --> https://en.wikibooks.org/wiki/Visual...Hashing_in_VBA

    VB6 Cryptographic secure Random for generating the salt.
    from here -->http://www.vbforums.com/showthread.p...erator-for-VB6

    you'll have to update the declare for VBA / 64bit VBA
    Code:
    Private Declare Function RtlGenRandom Lib "AdvAPI32" Alias "SystemFunction036" ( _
        ByVal pRandomBuffer As Long, _
        ByVal RandomBufferLength As Long) As Long
    
    Private Function Rand(ByVal Min As Long, ByVal Max As Long) As Long
        If RtlGenRandom(VarPtr(Rand), 4) Then
            Rand = Abs(Rand) Mod (Max - Min + 1) + Min
        Else
            Err.Raise 51 'Internal error, for lack of a more specific exception.
        End If
    End Function
    basicly after i got hashpass from normalpass i just store hashpass into database ???
    and compare the both when login using username parameters??

    i using Bcrypt

    Code:
    // hash and save a password
    hashedPassword = BCrypt.Net.BCrypt.HashPassword(submittedPassword);
    
    // check a password
    bool validPassword = BCrypt.Net.BCrypt.Verify(submittedPassword, hashedPassword);

  14. #14
    PowerPoster
    Join Date
    Jun 2015
    Posts
    2,224

    Re: what method is secure to insert and update into database ?

    storing a hashed password is vulnerable to a rainbow attack.

    you need a salt, and you store both.

    see post#4 and the links to understand the process.

    edit:if you are using .NET, then use Rfc2898DeriveBytes to manage password and salt.
    Last edited by DEXWERX; Sep 14th, 2017 at 06:59 AM.

  15. #15

    Thread Starter
    Lively Member
    Join Date
    May 2017
    Posts
    75

    Re: what method is secure to insert and update into database ?

    Quote Originally Posted by DEXWERX View Post
    storing a hashed password is vulnerable to a rainbow attack.

    you need a salt, and you store both.

    see post#4 and the links to understand the process.

    edit:if you are using .NET, then use Rfc2898DeriveBytes to manage password and salt.
    Yes right.. I store salt n hash from salt+pasdword.. Btw i make dekstop app with single admin..but in one side i need online web for user to make order..can i do it? Im using access database..how to connect it

  16. #16
    PowerPoster
    Join Date
    Jun 2015
    Posts
    2,224

    Re: what method is secure to insert and update into database ?

    you're going to want to start a new thread, for this question.
    but best practice is to use a web service. you don't expose databases access directly to the internet.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width