Link to home
Start Free TrialLog in
Avatar of EasyToHelp
EasyToHelpFlag for South Africa

asked on

Can someone inject sql code in a asp.net SQL Datasource?

Hi

I am currently refactoring our code on one of our applications and came across some asp.net<Sqldatasource>

this is the code

<asp:sqldatasource id="sds_Categories" runat="server"
                                        connectionstring="<%$ ConnectionStrings:Database %>"
                                        selectcommand="SELECT [SId], [Des] FROM [Categories] ORDER BY [seq]">
</asp:sqldatasource>

Could someone hack my database with this code?
Avatar of Ryan Chong
Ryan Chong
Flag of Singapore image
you have to specifically define the selection criteria with parameters, that would increase the security of your connection.

example:
<asp:sqldatasource id="sds_Categories" runat="server" 
                                        connectionstring="<%$ ConnectionStrings:Database %>" 
                                        selectcommand="SELECT [SId], [Des] FROM [Categories] where compareField = @Value ORDER BY [seq]">
</asp:sqldatasource>

Open in new window

when you're establishing the connection, you can add:
sds_Categories.SelectParameters.Add("@Value", yourValue);

Open in new window

get the idea?
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image
one can never trust user entered data you must always validate it.
ASKER CERTIFIED SOLUTION
Avatar of Zberteoc
Zberteoc
Flag of Canada image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Kamal Khaleefa
Kamal Khaleefa
Flag of Kuwait image
try to validate all the inputs from the user and filter them

also try to replace all special characters like '  ! -
SOLUTION
Avatar of kaufmed
kaufmed
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial