Passwords with Special Characters

[Guest]

I'm trying to figure out a general algorithm to allow any valid MS SQL 2000
username/password combination to log into a Winform application. I'm having
trouble with special characters.

I'm created a user named test
The password assigned is test'"; (that is, the word test, followed by a
single quote, followed by a double quote, followed by a semi-colon)

In the connection string, I've tried quoting the password with double quotes
and doubling each double quote in the password. That causes the code to run
fine (no runtime exceptions), but it can't log into the SQL server.

I also tried the above with single quotes instead of double quotes. That
doesn't work either.

If I change the password to test' I can then place double quotes around it,
and it works fine. If I change the password to test" I can plance single
quotes around it and it works fine. But I can't get the combination of both
single and double quotes in a single password to work.

Thanks in advance!

 

[W.G. Ryan eMVP]

I would SERIOUSLY Recommend Against dynamically generating a Connection
string but if you must - make sure you can't add any other properties
because you could be in for some real trouble. But that presents a problem
because people might use Property names in their passwords. If they are
already on the domain - then you can authenticate them through win
authentication as well. - is there a reason you don't want to use it?

HTH,

Bill

 

[Guest]

I would SERIOUSLY Recommend Against dynamically generating a Connection
string but if you must - make sure you can't add any other properties
because you could be in for some real trouble. But that presents a problem
because people might use Property names in their passwords. If they are
already on the domain - then you can authenticate them through win
authentication as well. - is there a reason you don't want to use it?

The application is a two-tier application, that will not be used by more
then 5 users. None of these users are part of an Active Directory domain and
it is not possible to put them into the domain, for mostly political and
religious reasons (they are part of a Novell shop).

With the quoting I described, it isn't possible for the user to type
anything which causes extra attributes to be injected into the connection
string (I'm not overly worried about this from a security standpoint though
because they already have TCP port 1433 access into the database server from
their workstations - it isn't something like a website where the user would
be able to bypass a firewall or something by connection string injection).
If they use property names, and I quote the way I described, that isn't a
problem and the password is never interpreted as a property name (however, a
password with both single and double quotes cannot ever validate against the
SQL server, either).

Is their a way of creating and opening a SqlConnection instance without
using a connection string? (if not, which from what I can tell is true, it
looks like it is a feature begging to be written...connection strings are a
non-OO abstraction that should not have been propagated into .NET IMHO)