Menu
For email entry in a text box by the user i am doing client side check, to find whether the email is valid or not
string emailexist = "SELECT COUNT(DISTINCT UserID) as count FROM tbl_user WHERE Email=@Email ";
<asp:RegularExpressionValidator ID="RegularExpressionValidator2" ValidationGroup="Login" ControlToValidate="txtUserName"
ValidationExpression="\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" CssClass="Error"
runat="server" />
is this regular expression good enough to prevent sql injection for email.
Other Text:
string groupExistQuery = "SELECT COUNT(DISTINCT GroupID) as count FROM tbl_group WHERE GroupName=@GroupName";
I am doing a query in server side to check whether the group name entered by the user is already available in the database, there is a strong possibility to perform sql injection here. How should I prevent from it.
497
In fact, you don't even need to be using ASP.NET to be susceptible to SQL injection attacks. Any application that queries a database using user-entered data, including Windows Forms applications is a potential target of an injection attack. Protecting yourself against SQL injection attacks is not very difficult.
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
SQL injection attacks can be performed in Entity SQL by supplying malicious input to values that are used in a query predicate and in parameter names. To avoid the risk of SQL injection, you should never combine user input with Entity SQL command text.
SQL injection is a code injection technique that might destroy your database. SQL injection is one of the most common web hacking techniques. SQL injection is the placement of malicious code in SQL statements, via web page input.
A regex is unrelated to SQL injection (blacklisting etc is never the strongest approach); however, the use of the parameter @Email means (assuming it remains parameterised) that is not susceptible to SQL injection.
SQL injection relates to inappropriate concatenation of input; the main tool to fight it is parameters, which has already happened here.
For example, if you did:
var sql = "SELECT ...snip... WHERE Email='" + email + "'"; // BAD!!!!!
then that is heavily susceptible to SQL injection. By using a parameter, the value is not treated as part of the query, so the attacker does not have at attack vector.
126
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
