I've got fields that are free-form text and allow just about any combination of numbers/symbols. What's the best way to validate these to prevent SQL Injection? Can I run a simple replace of tick marks? Is there a method out there I can plug in to use?
Add a comment
|
2 Answers
Just use parameterized queries! Check out this article here: http://www.functionx.com/aspnet/sqlserver/parameterized.htm
4 Comments
David
Parameterized queries are a line of defense, but you can still use them and leave yourself vulnerable. Check out this article: owasp.org/index.php/Guide_to_SQL_Injection and bookmark the OWASP site for all of your security questions. It's a very good place to learn.
John Saunders
@David: as far as I know, the only potential problem with parameterized queries or stored procedures is if you use dynamic SQL. "So, don't do that!".
David
@John Saunders - Absolutely! I just like to refer just about everyone with a security question to the OWASP site. For now it's the most comprehensive resource I've found on the topic.
Soleil
@Erich 404 page not found.
There are various methods outlined here: How To: Protect From SQL Injection in ASP.NET
quote:
Countermeasures include using a list of acceptable characters to constrain input, using parameterized SQL for data access, and using a least privileged account that has restricted permissions in the database. Using stored procedures with parameterized SQL is the recommended approach because SQL parameters are type safe. Type-safe SQL parameters can also be used with dynamic SQL. In situations where parameterized SQL cannot be used, consider using character escaping techniques.
Validation controls can help, though run them server side, not client side. ASP.NET does have some protection built in also, but I wouldn't rely on it alone.
