citadelind
asked on
SQL Injection in ASP.NET
- Please give me solutions of SQL Injection in my project.
- It is again and again comes in database.
- Script add in every table in database.
- How to prevent this problem?
- Give me good solutions so that next do not happen.
- It is again and again comes in database.
- Script add in every table in database.
- How to prevent this problem?
- Give me good solutions so that next do not happen.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Hello citadelind
One of the easiest methods to stop SQL injection attacks is to check all incoming text entries. See the following code for an example. It uses C# 4 and ASP .NET, but the general principle applies to any language and framework that uses SQL.
Notice the use of the String extension method. This simply replaces any instance of ' with '' The use of the ' character is a common cause of SQL injection. By trapping replacing the ' character with '', you limit the number of ways a SQL inject attach can occur.
Thanks,
Richard Hughes
One of the easiest methods to stop SQL injection attacks is to check all incoming text entries. See the following code for an example. It uses C# 4 and ASP .NET, but the general principle applies to any language and framework that uses SQL.
Notice the use of the String extension method. This simply replaces any instance of ' with '' The use of the ' character is a common cause of SQL injection. By trapping replacing the ' character with '', you limit the number of ways a SQL inject attach can occur.
Thanks,
Richard Hughes
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
namespace WebApplication1.Code
{
public static class StringExtensions
{
public static string MakeSQLSafe(this String s)
{
if (String.IsNullOrEmpty(s))
return s;
string str = s.Replace("'", "''");
return str;
}
}
}
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using WebApplication1.Code;
namespace WebApplication1
{
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
string name = this.textName.Text.MakeSQLSafe();
// now name is safe from SQL injection attacks
}
}
}
<%@ Page Title="Home Page" Language="C#" MasterPageFile="~/Site.master" AutoEventWireup="true"
CodeBehind="Default.aspx.cs" Inherits="WebApplication1._Default" %>
<asp:Content ID="HeaderContent" runat="server" ContentPlaceHolderID="HeadContent">
</asp:Content>
<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
<asp:TextBox ID="textName" runat="server"></asp:TextBox>
</asp:Content>
ideally use stored procedures to access data and pass data as parameters. If you build in line SQL, then specify parameters for any user input data.
If you cannot do that, make sure that any user input string used in building a sql string is escaped for the ' character with
MyString.Replace("'", "''")
i.e replace ' with '' (a single quote is replaced by two single quotes)
If you cannot do that, make sure that any user input string used in building a sql string is escaped for the ' character with
MyString.Replace("'", "''")
i.e replace ' with '' (a single quote is replaced by two single quotes)
I follow ALWAYS these two rules:
1. ALWAYS use parameters for your query's:
Example:
2. When you display data from your DB to html, ALWAYS encode it by using Server.HtmlEncode("My unsafe user text")
1. ALWAYS use parameters for your query's:
Example:
SqlCommand cm = new SqlCommand("INSERT dbo.MyTable (Text) VALUES (@pText)", myConnection);
cm.Parameters.Add("pText", SqlDbType.VarChar, 50).Value = "My user unsafe input";
cm.ExecuteNonQuery();
The SqlCommand class will take care of the security of this input, converting this to a literal.2. When you display data from your DB to html, ALWAYS encode it by using Server.HtmlEncode("My unsafe user text")
ASKER
Thanks for help
http://www.codeproject.com/KB/database/SqlInjectionAttacks.aspx
Secure Your ASP.NET Application from a SQL Injection Attack
http://blogs.ittoolbox.com/windows/rishi/archives/secure-your-aspnet-application-from-a-sql-injection-attack-15364
SQL Injection Attacks by Example - Introduction
http://www.developerfusion.co.uk/show/4656/