Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SQL Injection in ASP.NET

Posted on 2011-09-30
6
Medium Priority
?
302 Views
Last Modified: 2012-05-12
- Please give me solutions of SQL Injection in my project.

- It is again and again comes in database.

- Script add in every table in database.

- How to prevent this problem?

- Give me good solutions so that next do not happen.
0
Comment
Question by:citadelind
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 5

Accepted Solution

by:
MrNetic earned 2000 total points
ID: 36890760
Use procedures to "talk" with your DB.
0
 
LVL 53

Expert Comment

by:Dhaest
ID: 36890768
SQL Injection Attacks and Some Tips on How to Prevent Them
http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx

Secure Your ASP.NET Application from a SQL Injection Attack
http://blogs.ittoolbox.com/windows/rishi/archives/secure-your-aspnet-application-from-a-sql-injection-attack-15364

SQL Injection Attacks by Example - Introduction
http://www.developerfusion.co.uk/show/4656/
0
 
LVL 9

Expert Comment

by:richard_hughes
ID: 36890798
Hello citadelind

One of the easiest methods to stop SQL injection attacks is to check all incoming text entries. See the following code for an example. It uses C# 4 and ASP .NET, but the general principle applies to any language and framework that uses SQL.

Notice the use of the String extension method. This simply replaces any instance of ' with '' The use of the ' character is a common cause of SQL injection. By trapping replacing the ' character with '', you limit the number of ways a SQL inject attach can occur.

Thanks,

Richard Hughes
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;

namespace WebApplication1.Code
{
	public static class StringExtensions
	{
		public static string MakeSQLSafe(this String s)
		{
			if (String.IsNullOrEmpty(s))
				return s;

			string str = s.Replace("'", "''");

			return str;
		}
	}
}

Open in new window

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using WebApplication1.Code;

namespace WebApplication1
{
	public partial class _Default : System.Web.UI.Page
	{
		protected void Page_Load(object sender, EventArgs e)
		{
			string name = this.textName.Text.MakeSQLSafe();

			// now name is safe from SQL injection attacks
		}
	}
}

Open in new window

<%@ Page Title="Home Page" Language="C#" MasterPageFile="~/Site.master" AutoEventWireup="true"
    CodeBehind="Default.aspx.cs" Inherits="WebApplication1._Default" %>

<asp:Content ID="HeaderContent" runat="server" ContentPlaceHolderID="HeadContent">
</asp:Content>
<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
   
	<asp:TextBox ID="textName" runat="server"></asp:TextBox>

</asp:Content>

Open in new window

0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
LVL 18

Expert Comment

by:deighton
ID: 36891265
ideally use stored procedures to access data and pass data as parameters.  If you build in line SQL, then specify parameters for any user input data.

If you cannot do that, make sure that any user input string used in building a sql string is escaped for the ' character with

MyString.Replace("'", "''")

i.e replace ' with ''  (a single quote is replaced by two single quotes)
0
 
LVL 17

Expert Comment

by:Carlos Villegas
ID: 36891306
I follow ALWAYS these two rules:
1. ALWAYS use parameters for your query's:
Example:
SqlCommand cm = new SqlCommand("INSERT dbo.MyTable (Text) VALUES (@pText)", myConnection);
cm.Parameters.Add("pText", SqlDbType.VarChar, 50).Value = "My user unsafe input";
cm.ExecuteNonQuery();

Open in new window

The SqlCommand class will take care of the security of this input, converting this to a literal.

2. When you display data from your DB to html, ALWAYS encode it by using Server.HtmlEncode("My unsafe user text")
0
 

Author Closing Comment

by:citadelind
ID: 36972347
Thanks for help
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What if you have to shut down the entire Citrix infrastructure for hardware maintenance, software upgrades or "the unknown"? I developed this plan for "the unknown" and hope that it helps you as well. This article explains how to properly shut down …
It is possible to export the data of a SQL Table in SSMS and generate INSERT statements. It's neatly tucked away in the generate scripts option of a database.
Viewers will learn how the fundamental information of how to create a table.
Viewers will learn how to use the SELECT statement in SQL and will be exposed to the many uses the SELECT statement has.

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question