Skip to main content

DB error not handled by the web application

Incercam astazi sa caut care este cea mai buna ruta pentru a merge din Cluj-Napoca in Arad, iar domnul Google m-a dus la urmatoarea adresa url:
http://mersul-trenurilor.infoturism.ro/mersul_trenurilor_arad_cluj-napoca.php
Pagina returnata avea urmatorul continut:
SELECT DISTINCT traseu.id, traseu.ora, traseu.id_tren,
traseu.id_statie, gari.nume FROM traseu, gari
WHERE traseu.id_statie = gari.id
AND id_tren
IN (536,534,1834,1843,1766)
ORDER BY traseu.ordine, traseu.id1054
- Unknown column 'traseu.ora' in 'field list'
Rezultatul returnat mi s-a parut destul de dragut, mai ales ultima parte a sa. In mod normal ar fi trebuit sa vedem o pagina de eroare frumoasa, dar in schimb apare un SELECT, care ne expune o mica parte din baza de date.
O persoana cu putina imaginatie poate ar putea sa execute o comanda SQL precum un DELETE.
In cazul in care lucrati la o aplicatie de orice fel (in special web) nu uitati sa tratiti mesajele de eroare intr-un mod corespunzator, iar la un end-user sa nu afisati niciodate query din baza de date.
Un mesaj generic este mai mult decat suficient pentru un muritor.

Comments

  1. Vreun programator PHP care nu o auzit de set_error_handler.. - macar in ASP.NET avem customErrors care are valoarea implicita remoteOnly, deci si daca programtrul uita, e cat de cat safe by default daca nu s-a jucat la customErrors.

    ReplyDelete

Post a Comment

Popular posts from this blog

How to check in AngularJS if a service was register or not

There are cases when you need to check in a service or a controller was register in AngularJS.
For example a valid use case is when you have the same implementation running on multiple application. In this case, you may want to intercept the HTTP provider and add a custom step there. This step don’t needs to run on all the application, only in the one where the service exist and register.
A solution for this case would be to have a flag in the configuration that specify this. In the core you would have an IF that would check the value of this flag.
Another solution is to check if a specific service was register in AngularJS or not. If the service was register that you would execute your own logic.
To check if a service was register or not in AngularJS container you need to call the ‘has’ method of ‘inhector’. It will return TRUE if the service was register.
if ($injector.has('httpInterceptorService')) { $httpProvider.interceptors.push('httpInterceptorService&#…

ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded

Today blog post will be started with the following error when running DB tests on the CI machine:
threw exception: System.InvalidOperationException: The Entity Framework provider type 'System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer' registered in the application config file for the ADO.NET provider with invariant name 'System.Data.SqlClient' could not be loaded. Make sure that the assembly-qualified name is used and that the assembly is available to the running application. See http://go.microsoft.com/fwlink/?LinkId=260882 for more information. at System.Data.Entity.Infrastructure.DependencyResolution.ProviderServicesFactory.GetInstance(String providerTypeName, String providerInvariantName) This error happened only on the Continuous Integration machine. On the devs machines, everything has fine. The classic problem – on my machine it’s working. The CI has the following configuration:

TeamCity.NET 4.51EF 6.0.2VS2013
It seems that there …

Entity Framework (EF) TransactionScope vs Database.BeginTransaction

In today blog post we will talk a little about a new feature that is available on EF6+ related to Transactions.
Until now, when we had to use transaction we used ‘TransactionScope’. It works great and I would say that is something that is now in our blood.
using (var scope = new TransactionScope(TransactionScopeOption.Required)) { using (SqlConnection conn = new SqlConnection("...")) { conn.Open(); SqlCommand sqlCommand = new SqlCommand(); sqlCommand.Connection = conn; sqlCommand.CommandText = ... sqlCommand.ExecuteNonQuery(); ... } scope.Complete(); } Starting with EF6.0 we have a new way to work with transactions. The new approach is based on Database.BeginTransaction(), Database.Rollback(), Database.Commit(). Yes, no more TransactionScope.
In the followi…