-
Sep 8th, 2017, 01:24 AM
#1
Thread Starter
Lively Member
what method is secure to insert and update into database ?
i'm using access database
this my code to insert :
Code:
sql = "insert into customer([nid_c],[name_customer]" & "values(?,?)"
cmd = New OleDbCommand(sql, conn)
With cmd.Parameters
.Add(New OleDbParameter("@nid_c", CType(cusnid.Text, String)))
.Add(New OleDbParameter("@name_customer", CType(cusname.Text, String)))
End With
this my code to update :
Code:
sql = "update customer set name_customer=? where nid_c = '" & cusnid.Text & "'"
cmd = New OleDbCommand(sql, conn)
With cmd.Parameters
.Add(New OleDbParameter("@nama_customer", CType(cusnama.Text, String)))
End With
is secure to avoid sql injection ?
Last edited by khabib28; Sep 8th, 2017 at 01:28 AM.
-
Sep 8th, 2017, 03:05 AM
#2
Re: what method is secure to insert and update into database ?
-
Sep 8th, 2017, 05:12 AM
#3
Thread Starter
Lively Member
Re: what method is secure to insert and update into database ?
Originally Posted by make me rain
that means my method is secure..
and how to hash password and then save to database ?
-
Sep 8th, 2017, 07:33 AM
#4
Re: what method is secure to insert and update into database ?
Originally Posted by khabib28
that means my method is secure..
and how to hash password and then save to database ?
Why you are saving database password in database ?, leave it to database to do it's job , you just create users
-
Sep 8th, 2017, 08:13 AM
#5
Re: what method is secure to insert and update into database ?
you never store a password in the database. you store a 1 way hash of the salted password, and the random salt. that way if your database is ever compromised, the passwords can not be recovered (except by brute-force).
to save the salt+hash:
1) get the password from the user
2) create a random salt and combines it with the pw
3) perform the 1-way hash on the salted pw
4) store the salt, and the hash to the database
to verify a password during login:
1) get the password from the user
2) combines it with the salt stored in the database
3) perform the 1-way hash on the salted pw
4) compare this result to the pw hash stored in the database
Last edited by DEXWERX; Sep 8th, 2017 at 11:27 AM.
-
Sep 8th, 2017, 09:35 AM
#6
Thread Starter
Lively Member
Re: what method is secure to insert and update into database ?
Originally Posted by DEXWERX
you never store a password in the database. you store a 1 way hash of the salted password, and the random salt. that way if your database is ever compromised, the passwords can not be recovered.
to save the salt+hash:
1) get the password from the user
2) create a random salt and combines it with the pw
3) perform the 1-way hash on the salted pw
4) store the salt, and the hash to the database
to verify a password during login:
1) get the password from the user
2) combines it with the salt stored in the database
3) perform the 1-way hash on the salted pw
4) compare this result to the pw hash stored in the database
can you show the code or give me link contain code about salt+hash
-
Sep 8th, 2017, 09:36 AM
#7
Thread Starter
Lively Member
Re: what method is secure to insert and update into database ?
Originally Posted by make me rain
Why you are saving database password in database ?, leave it to database to do it's job , you just create users
not database password but admin password ,, i want save it to database but with hash method for secure reason
-
Sep 8th, 2017, 10:37 AM
#8
Re: what method is secure to insert and update into database ?
.NET procedure tutorial --> http://www.visual-basic-tutorials.co...sual-basic.htm
Hashing functions for VBA --> https://en.wikibooks.org/wiki/Visual...Hashing_in_VBA
VB6 Cryptographic secure Random for generating the salt.
from here -->http://www.vbforums.com/showthread.p...erator-for-VB6
you'll have to update the declare for VBA / 64bit VBA
Code:
Private Declare Function RtlGenRandom Lib "AdvAPI32" Alias "SystemFunction036" ( _
ByVal pRandomBuffer As Long, _
ByVal RandomBufferLength As Long) As Long
Private Function Rand(ByVal Min As Long, ByVal Max As Long) As Long
If RtlGenRandom(VarPtr(Rand), 4) Then
Rand = Abs(Rand) Mod (Max - Min + 1) + Min
Else
Err.Raise 51 'Internal error, for lack of a more specific exception.
End If
End Function
Last edited by DEXWERX; Sep 8th, 2017 at 10:43 AM.
-
Sep 8th, 2017, 11:02 AM
#9
Re: what method is secure to insert and update into database ?
Originally Posted by khabib28
can you show the code or give me link contain code about salt+hash
What's stopping you from searching for some for yourself?
-
Sep 8th, 2017, 11:52 AM
#10
Thread Starter
Lively Member
Re: what method is secure to insert and update into database ?
Originally Posted by jmcilhinney
What's stopping you from searching for some for yourself?
i need more reference...
-
Sep 8th, 2017, 12:06 PM
#11
Re: what method is secure to insert and update into database ?
Originally Posted by khabib28
i need more reference...
Yeah, so search for some. If you think you can write software then you should be able to search the web. Why haven't you just typed "vb.net hash password" or the like into Google?
-
Sep 8th, 2017, 12:14 PM
#12
Thread Starter
Lively Member
Re: what method is secure to insert and update into database ?
Originally Posted by jmcilhinney
Yeah, so search for some. If you think you can write software then you should be able to search the web. Why haven't you just typed "vb.net hash password" or the like into Google?
i know that u want ..
search first if stuck then ask here..
i'm so sorry ..
-
Sep 13th, 2017, 03:41 PM
#13
Thread Starter
Lively Member
Re: what method is secure to insert and update into database ?
Originally Posted by DEXWERX
basicly after i got hashpass from normalpass i just store hashpass into database ???
and compare the both when login using username parameters??
i using Bcrypt
Code:
// hash and save a password
hashedPassword = BCrypt.Net.BCrypt.HashPassword(submittedPassword);
// check a password
bool validPassword = BCrypt.Net.BCrypt.Verify(submittedPassword, hashedPassword);
-
Sep 14th, 2017, 06:54 AM
#14
Re: what method is secure to insert and update into database ?
storing a hashed password is vulnerable to a rainbow attack.
you need a salt, and you store both.
see post#4 and the links to understand the process.
edit:if you are using .NET, then use Rfc2898DeriveBytes to manage password and salt.
Last edited by DEXWERX; Sep 14th, 2017 at 06:59 AM.
-
Sep 15th, 2017, 10:03 PM
#15
Thread Starter
Lively Member
Re: what method is secure to insert and update into database ?
Originally Posted by DEXWERX
storing a hashed password is vulnerable to a rainbow attack.
you need a salt, and you store both.
see post#4 and the links to understand the process.
edit:if you are using .NET, then use Rfc2898DeriveBytes to manage password and salt.
Yes right.. I store salt n hash from salt+pasdword.. Btw i make dekstop app with single admin..but in one side i need online web for user to make order..can i do it? Im using access database..how to connect it
-
Sep 18th, 2017, 09:13 AM
#16
Re: what method is secure to insert and update into database ?
you're going to want to start a new thread, for this question.
but best practice is to use a web service. you don't expose databases access directly to the internet.
Tags for this Thread
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|