Monday, November 3, 2008

What is SQL injection?

It is a way of hacking on a database driven Web site in which the hacker executes unauthorized SQL commands by taking advantage of insecure code on a system connected to the Internet,bypassing the firewall.

SQL injection hackers are used to steal information from a database from which the data would normally not be available and/or to gain access to an organization’s host computers through the computer that is hosting the database.

SQL injection attacks typically are easy to avoid by ensuring that a system has strong input validation.


This is your query when the user clicks on the Login button ->
Select [UserName], [Password] From Users Where UserID = 1; 
This the Hacker query "he types this query in the user name textbox"->
Select [UserName], [Password] From Users Where UserID = 1;
Drop Table Users;
So Never use a direct query from your Web Application to Database.

Instead use Stored Procedures and Implement Layers such as Data Access Layer and Business Logic Layer, this would protected you against the SQL Injection.

Saturday, November 1, 2008

How to Export To Excel in ASP.NET

Export Gridview Control to Excel:
HtmlForm htmlForm = new HtmlForm();
string fileName = "attachment; filename=Reports.xls";
Response.AddHeader("content-disposition", fileName);
Response.ContentType = "application/ms-excel";
StringWriter strw = new StringWriter();
HtmlTextWriter htxtw = new HtmlTextWriter(strw);
Export Data Table to Excel:
HttpContext context = HttpContext.Current;
foreach (DataColumn column in table.Columns)
    context.Response.Write(column.ColumnName + ";");
foreach (DataRow row in table.Rows)
    for (int i = 0; i < table.Columns.Count; i++)
        context.Response.Write(row[i].ToString().Replace(";", string.Empty) + ";");
context.Response.ContentType = "text/csv";
context.Response.AppendHeader("Content-Disposition", "attachment;filename=" + name + ".csv");