what method is secure to insert and update into database ?

Printable View

Sep 8th, 2017, 01:24 AM
khabib28

what method is secure to insert and update into database ?

i'm using access database
this my code to insert :

Code:

sql = "insert into customer([nid_c],[name_customer]" & "values(?,?)" cmd = New OleDbCommand(sql, conn) With cmd.Parameters .Add(New OleDbParameter("@nid_c", CType(cusnid.Text, String))) .Add(New OleDbParameter("@name_customer", CType(cusname.Text, String))) End With

this my code to update :

Code:

sql = "update customer set name_customer=? where nid_c = '" & cusnid.Text & "'" cmd = New OleDbCommand(sql, conn) With cmd.Parameters .Add(New OleDbParameter("@nama_customer", CType(cusnama.Text, String))) End With

is secure to avoid sql injection ?
Sep 8th, 2017, 03:05 AM
make me rain

Re: what method is secure to insert and update into database ?

Definitely your method used is correct
https://technet.microsoft.com/en-us/...=sql.105).aspx
Sep 8th, 2017, 05:12 AM
khabib28

Re: what method is secure to insert and update into database ?

Quote:

Originally Posted by make me rain

Definitely your method used is correct
https://technet.microsoft.com/en-us/...=sql.105).aspx

that means my method is secure..
and how to hash password and then save to database ?
Sep 8th, 2017, 07:33 AM
make me rain

Re: what method is secure to insert and update into database ?

Quote:

Originally Posted by khabib28

that means my method is secure..
and how to hash password and then save to database ?

Why you are saving database password in database ?, leave it to database to do it's job , you just create users
Sep 8th, 2017, 08:13 AM
DEXWERX

Re: what method is secure to insert and update into database ?

you never store a password in the database. you store a 1 way hash of the salted password, and the random salt. that way if your database is ever compromised, the passwords can not be recovered (except by brute-force).

to save the salt+hash:
1) get the password from the user
2) create a random salt and combines it with the pw
3) perform the 1-way hash on the salted pw
4) store the salt, and the hash to the database

to verify a password during login:
1) get the password from the user
2) combines it with the salt stored in the database
3) perform the 1-way hash on the salted pw
4) compare this result to the pw hash stored in the database
Sep 8th, 2017, 09:35 AM
khabib28

Re: what method is secure to insert and update into database ?

Quote:

Originally Posted by DEXWERX

you never store a password in the database. you store a 1 way hash of the salted password, and the random salt. that way if your database is ever compromised, the passwords can not be recovered.

to save the salt+hash:
1) get the password from the user
2) create a random salt and combines it with the pw
3) perform the 1-way hash on the salted pw
4) store the salt, and the hash to the database

to verify a password during login:
1) get the password from the user
2) combines it with the salt stored in the database
3) perform the 1-way hash on the salted pw
4) compare this result to the pw hash stored in the database

can you show the code or give me link contain code about salt+hash
Sep 8th, 2017, 09:36 AM
khabib28

Re: what method is secure to insert and update into database ?

Quote:

Originally Posted by make me rain

Why you are saving database password in database ?, leave it to database to do it's job , you just create users

not database password but admin password ,, i want save it to database but with hash method for secure reason
Sep 8th, 2017, 10:37 AM
DEXWERX

Re: what method is secure to insert and update into database ?

.NET procedure tutorial --> http://www.visual-basic-tutorials.co...sual-basic.htm

Hashing functions for VBA --> https://en.wikibooks.org/wiki/Visual...Hashing_in_VBA

VB6 Cryptographic secure Random for generating the salt.
from here -->http://www.vbforums.com/showthread.p...erator-for-VB6

you'll have to update the declare for VBA / 64bit VBA

Code:

Private Declare Function RtlGenRandom Lib "AdvAPI32" Alias "SystemFunction036" ( _ ByVal pRandomBuffer As Long, _ ByVal RandomBufferLength As Long) As Long Private Function Rand(ByVal Min As Long, ByVal Max As Long) As Long If RtlGenRandom(VarPtr(Rand), 4) Then Rand = Abs(Rand) Mod (Max - Min + 1) + Min Else Err.Raise 51 'Internal error, for lack of a more specific exception. End If End Function
Sep 8th, 2017, 11:02 AM
jmcilhinney

Re: what method is secure to insert and update into database ?

Quote:

Originally Posted by khabib28

can you show the code or give me link contain code about salt+hash

What's stopping you from searching for some for yourself?
Sep 8th, 2017, 11:52 AM
khabib28

Re: what method is secure to insert and update into database ?

Quote:

Originally Posted by jmcilhinney

What's stopping you from searching for some for yourself?

i need more reference...
Sep 8th, 2017, 12:06 PM
jmcilhinney

Re: what method is secure to insert and update into database ?

Quote:

Originally Posted by khabib28

i need more reference...

Yeah, so search for some. If you think you can write software then you should be able to search the web. Why haven't you just typed "vb.net hash password" or the like into Google?
Sep 8th, 2017, 12:14 PM
khabib28

Re: what method is secure to insert and update into database ?

Quote:

Originally Posted by jmcilhinney

Yeah, so search for some. If you think you can write software then you should be able to search the web. Why haven't you just typed "vb.net hash password" or the like into Google?

i know that u want ..
search first if stuck then ask here..
i'm so sorry ..
Sep 13th, 2017, 03:41 PM
khabib28

Re: what method is secure to insert and update into database ?

Quote:

Originally Posted by DEXWERX

.NET procedure tutorial --> http://www.visual-basic-tutorials.co...sual-basic.htm

Hashing functions for VBA --> https://en.wikibooks.org/wiki/Visual...Hashing_in_VBA

VB6 Cryptographic secure Random for generating the salt.
from here -->http://www.vbforums.com/showthread.p...erator-for-VB6

you'll have to update the declare for VBA / 64bit VBA

Code:

Private Declare Function RtlGenRandom Lib "AdvAPI32" Alias "SystemFunction036" ( _ ByVal pRandomBuffer As Long, _ ByVal RandomBufferLength As Long) As Long Private Function Rand(ByVal Min As Long, ByVal Max As Long) As Long If RtlGenRandom(VarPtr(Rand), 4) Then Rand = Abs(Rand) Mod (Max - Min + 1) + Min Else Err.Raise 51 'Internal error, for lack of a more specific exception. End If End Function

basicly after i got hashpass from normalpass i just store hashpass into database ???
and compare the both when login using username parameters??

i using Bcrypt

Code:

// hash and save a password hashedPassword = BCrypt.Net.BCrypt.HashPassword(submittedPassword); // check a password bool validPassword = BCrypt.Net.BCrypt.Verify(submittedPassword, hashedPassword);
Sep 14th, 2017, 06:54 AM
DEXWERX

Re: what method is secure to insert and update into database ?

storing a hashed password is vulnerable to a rainbow attack.

you need a salt, and you store both.

see post#4 and the links to understand the process.

edit:if you are using .NET, then use Rfc2898DeriveBytes to manage password and salt.
Sep 15th, 2017, 10:03 PM
khabib28

Re: what method is secure to insert and update into database ?

Quote:

Originally Posted by DEXWERX

storing a hashed password is vulnerable to a rainbow attack.

you need a salt, and you store both.

see post#4 and the links to understand the process.

edit:if you are using .NET, then use Rfc2898DeriveBytes to manage password and salt.

Yes right.. I store salt n hash from salt+pasdword.. Btw i make dekstop app with single admin..but in one side i need online web for user to make order..can i do it? Im using access database..how to connect it
Sep 18th, 2017, 09:13 AM
DEXWERX

Re: what method is secure to insert and update into database ?

you're going to want to start a new thread, for this question.
but best practice is to use a web service. you don't expose databases access directly to the internet.