[lnkForumImage]
TotalShareware - Download Free Software
Confronta i prezzi di migliaia di prodotti.
Asp Forum
 Home | Login | Register | Search 


 

Forums >

microsoft.public.dotnet.framework.aspnet.mobile

need Help By Timer (Mobile Web Application

=?Utf-8?B?cm9kY2hhcg==?=

2/10/2004 11:36:00 AM

Hi how are you all , i need a Help to use any Timer to keep checking if the Database Change or not after i run the application in MME ( Microsoft Mobile Explorer ) , i have alot of forms , and i need to know if the Databasechange i want to alert the user so i couldn't find any timer for this .
i hope any one help me
Thanks
9 Answers

Bob Barrows [MVP]

11/12/2008 11:38:00 PM

0

MikeR wrote:
> Bob Barrows wrote:
>> MikeR wrote:
>>> Due to a crash, I lost all my links to the various info about
>>> defeating SQL/script injection.
>>>
>> http://www.spidynamics.com/papers/SQLInjectionWhit...
>>
> Thanks Bob -
>
> In your spare time, how about writing a best practices tutorial, with
> all the good stuff in one place? ;->
>

Sure, as soon as I get a round tuit. All I've got are square ones ;-)

> The last link gets changed to
> http://www.hp.com/spidynamics/papers/SQLInjectionWhit...
> and I can't get to it. Huh?

Try using the Wayback Machine at www.archive.org ... or search the hp site

>
> I'm working with an Access 2000 db and I'm going to use parameterized
> queries. Is there a way, on an update, to avoid blanking a field if it
> already
> contains a value, and the user doesn't enter anything for that field
> in the input form?
> For instance my stored query might be:
>
> INSERT

I presume you mean UPDATE ... :-)

> tbl1 set name = [P1], phone = [P2], category = [P3] where ID =
> [P4]
> and the user didn't put in a phone on the input form.
>
> I call the proc using
>
> cn.nameproc SanName, SanPhone, SanCat, SanUID and SanPhone is empty

You have no alternative but to change your query to handle the situation
where the parameter is blank, using iif().

set phone=iif([P20="",[phone],[P2])

--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


MikeR

11/13/2008 2:02:00 AM

0

Bob Barrows [MVP] wrote:
> MikeR wrote:
>> Bob Barrows wrote:
>>> MikeR wrote:
>>>> Due to a crash, I lost all my links to the various info about
>>>> defeating SQL/script injection.
>>>>
>>> http://www.spidynamics.com/papers/SQLInjectionWhit...
>>>
>> Thanks Bob -
>>
>> In your spare time, how about writing a best practices tutorial, with
>> all the good stuff in one place? ;->
>>
>
> Sure, as soon as I get a round tuit. All I've got are square ones ;-)

Dang! I had a spare one, but I can't find it.
>
>> The last link gets changed to
>> http://www.hp.com/spidynamics/papers/SQLInjectionWhit...
>> and I can't get to it. Huh?
>
> Try using the Wayback Machine at www.archive.org ... or search the hp site

That worked.
>
>> I'm working with an Access 2000 db and I'm going to use parameterized
>> queries. Is there a way, on an update, to avoid blanking a field if it
>> already
>> contains a value, and the user doesn't enter anything for that field
>> in the input form?
>> For instance my stored query might be:
>>
>> INSERT
>
> I presume you mean UPDATE ... :-)
Ooops.... yep.
>
>> tbl1 set name = [P1], phone = [P2], category = [P3] where ID =
>> [P4]
>> and the user didn't put in a phone on the input form.
>>
>> I call the proc using
>>
>> cn.nameproc SanName, SanPhone, SanCat, SanUID and SanPhone is empty
>
> You have no alternative but to change your query to handle the situation
> where the parameter is blank, using iif().
>
> set phone=iif([P20="",[phone],[P2])
>
Neat.

What's your take on the need to sanitize the input before sending it to the query? I
got mixed signals from those papers.

Bob Barrows [MVP]

11/13/2008 2:31:00 AM

0

MikeR wrote:
>
> What's your take on the need to sanitize the input before sending it
> to the query? I got mixed signals from those papers.

It's mildly controversial. Some people take the stand that since sql
injection is impossible given the use of parameters, then in-depth
sanitation, beyond the obvious task of preventing errors by making sure the
supplied data is of the proper datatypes is nothing but a waste of time.

My thinking is that security should consist of several layers, the first
being to validate the data to make sure it does not contain attempts to
breach your security. True, validation is not 100% secure, so the fall-back
layer is the use of parameters rather than dynamic sql. Some people
recommend inconveniencing the hacker when detected: for example, redirecting
him to a page that looks like what he would get if his hack was successful,
but displaying a perpetual progress bar so that his time is wasted. At the
very least, detected attempts should be logged so you are alerted about
them.

--
Microsoft MVP - ASP/ASP.NET - 2004-2007
Please reply to the newsgroup. This email account is my spam trap so I
don't check it very often. If you must reply off-line, then remove the
"NO SPAM"


MikeR

11/14/2008 12:06:00 AM

0

Bob Barrows [MVP] wrote:
> MikeR wrote:
>> What's your take on the need to sanitize the input before sending it
>> to the query? I got mixed signals from those papers.
>
> It's mildly controversial. Some people take the stand that since sql
> injection is impossible given the use of parameters, then in-depth
> sanitation, beyond the obvious task of preventing errors by making sure the
> supplied data is of the proper datatypes is nothing but a waste of time.
>
> My thinking is that security should consist of several layers, the first
> being to validate the data to make sure it does not contain attempts to
> breach your security. True, validation is not 100% secure, so the fall-back
> layer is the use of parameters rather than dynamic sql. Some people
> recommend inconveniencing the hacker when detected: for example, redirecting
> him to a page that looks like what he would get if his hack was successful,
> but displaying a perpetual progress bar so that his time is wasted. At the
> very least, detected attempts should be logged so you are alerted about
> them.
>
Very reasoned. Thanks.
Mike

MikeR

11/14/2008 12:32:00 AM

0

Bob Barrows [MVP] wrote:
> MikeR wrote:
>> Bob Barrows wrote:
>>> MikeR wrote:
>>>> Due to a crash, I lost all my links to the various info about
>>>> defeating SQL/script injection.
>>>>
>>> http://www.spidynamics.com/papers/SQLInjectionWhit...
>>>
>> Thanks Bob -
>>
>> In your spare time, how about writing a best practices tutorial, with
>> all the good stuff in one place? ;->
>>
>
> Sure, as soon as I get a round tuit. All I've got are square ones ;-)
>
>> The last link gets changed to
>> http://www.hp.com/spidynamics/papers/SQLInjectionWhit...
>> and I can't get to it. Huh?
>
> Try using the Wayback Machine at www.archive.org ... or search the hp site
>
>> I'm working with an Access 2000 db and I'm going to use parameterized
>> queries. Is there a way, on an update, to avoid blanking a field if it
>> already
>> contains a value, and the user doesn't enter anything for that field
>> in the input form?
>> For instance my stored query might be:
>>
>> INSERT
>
> I presume you mean UPDATE ... :-)
>
>> tbl1 set name = [P1], phone = [P2], category = [P3] where ID =
>> [P4]
>> and the user didn't put in a phone on the input form.
>>
>> I call the proc using
>>
>> cn.nameproc SanName, SanPhone, SanCat, SanUID and SanPhone is empty
>
> You have no alternative but to change your query to handle the situation
> where the parameter is blank, using iif().
>
> set phone=iif([P20="",[phone],[P2])

UPDATE Stations SET rigs = [RIG], AMPS = iif([P2] = "" , [AMPS],[P2])
WHERE call=[UCALL];

Running this in the query designer blanks the column AMPS if P2 is left blank. If
it's filled, it works as expected.

Bob Barrows [MVP]

11/14/2008 2:31:00 PM

0

MikeR wrote:
>
> UPDATE Stations SET rigs = [RIG], AMPS = iif([P2] = "" , [AMPS],[P2])
> WHERE call=[UCALL];
>
> Running this in the query designer blanks the column AMPS if P2 is
> left blank. If it's filled, it works as expected.

Are you making sure to pass an empty string if the user leaves it blank?

--
HTH,
Bob Barrows

MikeR

11/14/2008 4:29:00 PM

0

Bob Barrows wrote:
> MikeR wrote:
>> UPDATE Stations SET rigs = [RIG], AMPS = iif([P2] = "" , [AMPS],[P2])
>> WHERE call=[UCALL];
>>
>> Running this in the query designer blanks the column AMPS if P2 is
>> left blank. If it's filled, it works as expected.
>
> Are you making sure to pass an empty string if the user leaves it blank?
>
<slapforehead strength="hard">DOH!</slapforehead> Nope, I was just clicking OK on
the dialog box in Access. Entering "" worked.

Bob Barrows [MVP]

11/14/2008 4:38:00 PM

0

MikeR wrote:
> Bob Barrows wrote:
>> MikeR wrote:
>>> UPDATE Stations SET rigs = [RIG], AMPS = iif([P2] = "" ,
>>> [AMPS],[P2]) WHERE call=[UCALL];
>>>
>>> Running this in the query designer blanks the column AMPS if P2 is
>>> left blank. If it's filled, it works as expected.
>>
>> Are you making sure to pass an empty string if the user leaves it
>> blank?
>>
> <slapforehead strength="hard">DOH!</slapforehead> Nope, I was just
> clicking OK on the dialog box in Access. Entering "" worked.

In that case, you would want to check for Null instead of an empty
string:
iif([P2] Is Null, ...
--
HTH,
Bob Barrows

MikeR

11/17/2008 12:35:00 PM

0

Bob Barrows wrote:
> MikeR wrote:
>> Bob Barrows wrote:
>>> MikeR wrote:
>>>> UPDATE Stations SET rigs = [RIG], AMPS = iif([P2] = "" ,
>>>> [AMPS],[P2]) WHERE call=[UCALL];
>>>>
>>>> Running this in the query designer blanks the column AMPS if P2 is
>>>> left blank. If it's filled, it works as expected.
>>> Are you making sure to pass an empty string if the user leaves it
>>> blank?
>>>
>> <slapforehead strength="hard">DOH!</slapforehead> Nope, I was just
>> clicking OK on the dialog box in Access. Entering "" worked.
>
> In that case, you would want to check for Null instead of an empty
> string:
> iif([P2] Is Null, ...

Thank you sir!