SQL Injection

Discussion in 'ASP .Net Security' started by A.M, Jan 21, 2004.

  1. A.M

    A.M Guest

    Hi,

    I have to check all textboxes in my web application for SQL injection.
    Is there any ready product that detect SQL inhection patterns?
    A regular expression also would be helpfull.

    Any help would be apprecited,
    Ali
     
    A.M, Jan 21, 2004
    #1
    1. Advertising

  2. It seems to me you would want to do two things here as there are two
    different problems:

    Check all of your SQL code to ensure that you are using parameterized
    queries
    Verify that your input contains only valid input based on what is being
    requested

    Parameterized queries in ADO.NET will prevent SQL injection attacks. If you
    are building queries by creating SQL strings on the fly, then you should
    concentrate on fixing that first. You can still use parameterized queries
    without stored procedures if you don't want to or can't use them.

    The next thing you want to do is ensure that your input conforms to what it
    should be. This will help prevent all sorts of other attacks besides SQL
    injection such as Cross Site Scripting.

    Validating input should be done based on what is allowed, not based on what
    is not allowed, so trying to look for signs of SQL injection in your inputs
    is the wrong way to go.

    Regular expressions are excellent tools for validating input, but they are
    "domain dependent", meaning that no one regular expression can validate any
    random text. It depends on what is required.

    http://www.regexlib.com/ is an excellent source of regular expressions,
    especially for .NET.

    The bottom line is that you need to carefully validate input AND make sure
    your database code is not suceptible to SQL injection. You shouldn't just
    do one or the other. Read "Writing Secure Code" and/or the "Code Secure"
    column on MSDN for more info.

    HTH,

    Joe K.

    "A.M" <> wrote in message
    news:...
    > Hi,
    >
    > I have to check all textboxes in my web application for SQL injection.
    > Is there any ready product that detect SQL inhection patterns?
    > A regular expression also would be helpfull.
    >
    > Any help would be apprecited,
    > Ali
    >
    >
     
    Joe Kaplan \(MVP - ADSI\), Jan 21, 2004
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. poppy

    SQL Injection Attacks

    poppy, Nov 2, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    413
    Scott Allen
    Nov 3, 2004
  2. Darrel
    Replies:
    9
    Views:
    3,638
    Steve C. Orr [MVP, MCSD]
    Nov 11, 2004
  3. MattB

    SQL injection

    MattB, Mar 30, 2005, in forum: ASP .Net
    Replies:
    10
    Views:
    710
    Peter Blum
    Mar 31, 2005
  4. Ranginald
    Replies:
    10
    Views:
    880
    Ranginald
    Apr 27, 2006
  5. =?Utf-8?B?c3M=?=

    sample validation code for sql injection attact

    =?Utf-8?B?c3M=?=, May 5, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    638
    =?UTF-8?B?R8O2cmFuIEFuZGVyc3Nvbg==?=
    May 9, 2006
Loading...

Share This Page