Results 1 to 5 of 5

Thread: ASP.net SQL injection

  1. #1
    Join Date
    Aug 2008
    Location
    KL
    Posts
    83
    Rep Power
    132

    ASP.net SQL injection

    Hi,

    any sugestion/tip/theory to prevent this?

  2. #2
    Join Date
    Mar 2008
    Location
    pd
    Posts
    497
    Rep Power
    146
    In Java and PHP the first tip to prevent SQL injection is to use 'prepared statements'. I haven't written any ASP for more than 10 years, so maybe this code at forums.asp.net is useful for you:

    Prepared statements for MySql - ASP.NET Forums

    This code at Expert Sexchange looks like it's an example of the kind of code that would suffer from injection:

    Insert data is database using Prepared Statement in VB.Net : prepared, statement

    If you find yourself constructing SQL statements by concatenating constant strings and variables, you're running a risk of SQL injection.

    Wikipedia calls them paramaterized statements:
    SQL injection - Wikipedia, the free encyclopedia

  3. #3
    Join Date
    Sep 2005
    Location
    in my body lar...
    Posts
    1,325
    Rep Power
    0
    the best way is avoid a single sql line to validate the password

    Don't use:
    SELECT * FROM USERTABLE WHERE USERNAME='XXXX' AND PASSWORD = 'YYYY'

    Istead query the records out and do a normal comparison via IF THEN ELSE statement.

    Another thing you can do is limit the password and user name to character(a-z,A-Z) plus number (0-9) only. All other character like "= ' & / \ % # ;" are considered non valid.

    So before you fireup your sql statement to validate, you can check if those value entered(in the form field) contain invalid character or not. If contain then you can kick out.

  4. #4
    Join Date
    Dec 2001
    Posts
    73
    Rep Power
    213
    This is just an example, a safer way to query,

    this is a c# code.

    Code:
    MySqlCommand  Query = new MySqlCommand ("UPDATE table SET [field] = @fieldvalue, [field2] = @fieldvalue2 WHERE [field3] = @fieldvalue3", connection);
    
    
                Query.Parameters.Add("@fieldvalue", textfield);
                Query.Parameters.Add("@fieldvalue2", textfield2);
                Query.Parameters.Add("@fieldvalue3", textfield3);
    
                try
                {
                    int i = Query.ExecuteNonQuery();               
                    Disconnect();
                    return i;
                }
                catch (Exception e)
                {
                    show errors
                    Disconnect();
                    return 0;
                }

  5. #5
    Join Date
    Aug 2008
    Location
    KL
    Posts
    83
    Rep Power
    132
    I Using ASP.net 3.5 instead of using direct sql, I use LINQ,is there any risk sing LINQ?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Anti SQL Injection Code / Intro
    By YajivMalhotra in forum Website Programming
    Replies: 8
    Last Post: 11-10-2004, 04:01 PM
  2. About XSS Injection
    By YajivMalhotra in forum Website Programming
    Replies: 3
    Last Post: 11-10-2004, 03:53 PM
  3. sql injection
    By MHR in forum Website Programming
    Replies: 7
    Last Post: 08-10-2004, 03:03 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Search Engine Optimization by vBSEO 3.5.0 RC1 PL1

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37