Menu
I'm looking to make my site secure against SQL injection attacks. Does anyone have any good links to make the site secure against these types of attacks in an ASP.NET site (c#, web forms)?
EDIT:
I should point out at I am using the Entity Framework
428
The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
1Locate the Vulnerable Code The first step in recovering from a SQL injection attack is to identify where the vulnerability is located. You can manually launch an attack or run an automated SQL injection attack tool like Havij, SQLmap, or jSQL to identify vulnerable code.
The most common other locations where SQL injection arises are: In UPDATE statements, within the updated values or the WHERE clause. In INSERT statements, within the inserted values. In SELECT statements, within the table or column name.
The first and best line of defense is to not use dynamic SQL.
Always use parameterized queries.
Take a look at the OWASP page about SQL Injection.
67
See these resources:
How To: Protect From SQL Injection in ASP.NET (MSDN)
Data Security: Stop SQL Injection Attacks Before They Stop You
SQL Injection Attacks and Some Tips on How to Prevent Them
Preventing SQL Injection in ASP.NET
Basically, as Oded already pointed out, it boils down to stop concatenating together your SQL statements - especially if that involves data entered by user's into textboxes - and use parametrized queries in ADO.NET.
25
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
