Menu
We have a ASP.NET/C# website. Our developers are off shore in Asia and I just discovered they have been placing raw SQL on the site front end.
I am worried we are now vulnerable to SQL injection attacks. Does anyone know how I can detect vulnerabilities on the site and what is the best way to close the door on them?
318
Trying to detect the vulnerabilities from the front may help, but really you should be looking at the code, in particular all code that relates to DbCommand, SqlCommand, etc. The key point, as you clearly know, is never to concatenate user input into a query, but to parameterise it. There are good tools available that can make this parameterisation easy to do - or at least, easier than doing it manually. For example, if you have:
using(var cmd = conn.CreateCommand()) {
cmd.CommandText = "delete from Orders where id = " + id;
cmd.ExecuteNonQuery();
}
then a tool like dapper-dot-net will allow you to do things like:
conn.Execute("delete from Orders where id = @id", new {id});
which is less code, largely a copy-paste, but is fully injection-safe and allows query-plan re-use.
75
Have a look at Scrawlr or Acunetix
These are tools to scan a website for vulnerabilities, especially for SQL Injection. Another way is to sign up to one of the PCI-DSS compliance companies. We use SecurityMetrics and normally banks offer discounts to these.
26
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
