RE : SQL Injection and XSS scripting

Posted on 2012-09-12
Last Modified: 2012-10-09

How to make sure that application is totally secure with SQL injection and cross side scripting.

How to make sure that we have prevented URL tampering within the application? What i the best approach to do so

Is there any tool to test?

We have created an application in the .NET following MVC framework
Question by:vikalgupta
    LVL 2

    Accepted Solution

    Some points which need to be taken care of for avoiding SQL Injection specifically include:

    1. Always use Stored Procedures when working with Database. (Never and never at all use a query directly from your code, as it is surely prone to sql injection)
    2. Encrypt Sensitive data (values like passwords, account numbers etc, or some info which is very critical, better keep it encrypted and always encrypt-decrypt it as per your requirement)
    3. Make use of Parameterized Queries, which force the developer to input some values else the query wont execute.

    Some links which I found useful, on how to test for SQL Injection are as follows:

    I know you asked for tool, and the above links mainly cover some methods to do it manually.
    Here is a link for a tool which might help you out:
    Also, a Firefox add-on for the same..

    But yes, please perform all the SQL Injection specific things only in your test environment, after a proper backup of your database.

    Varun Shringarpure

    Author Closing Comment

    Good answer

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Naughty Me. While I was changing the database name from DB1 to DB_PROD1 (yep it's not real database name ^v^), I changed the database name and notified my application fellows that I did it. They turn on the application, and everything is working. A …
    This article explains how to reset the password of the sa account on a Microsoft SQL Server.  The steps in this article work in SQL 2005, 2008, 2008 R2, 2012, 2014 and 2016.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now