SQL Injection

Discussion in 'ASP .Net Security' started by Arne, Aug 8, 2005.

  1. Arne

    Arne Guest

    Will the code below protect me from SQL injection in an ASP.Net page?
    Dim cmd As SqlCommand
    Dim prm As SqlParameter
    Dim salary As String
    cmd.CommandText = "select salary from employee where name=@name"
    prm = New SqlParameter("@name", name.text)
    cmd.Parameters.Add(prm)
    salary = cmd.ExecuteNonQuery
    Arne, Aug 8, 2005
    #1
    1. Advertising

  2. Arne

    Cactus Corp. Guest

    "Arne" <> wrote in message news:...
    > Will the code below protect me from SQL injection in an ASP.Net page?
    > Dim cmd As SqlCommand
    > Dim prm As SqlParameter
    > Dim salary As String
    > cmd.CommandText = "select salary from employee where name=@name"
    > prm = New SqlParameter("@name", name.text)
    > cmd.Parameters.Add(prm)
    > salary = cmd.ExecuteNonQuery


    It should.

    But it should not be used as a mitigation technique, the name.text
    value should first be checked against your acceptation rules.

    Best practice would be to make a global static method, checking
    validity of an input upon a regular expression.

    If (SecurityUtils.IsInputValid(name.Text , "[a-zA-Z]{1,30}")) Then
    ...do something
    End If

    antoine
    Cactus Corp., Aug 8, 2005
    #2
    1. Advertising

  3. Hello Arne,

    yes.

    besides that this code sample implies that this application can retrieve
    the salary of an arbitrary user in your database....

    ---------------------------------------
    Dominick Baier - DevelopMentor
    http://www.leastprivilege.com

    > Will the code below protect me from SQL injection in an ASP.Net page?
    > Dim cmd As SqlCommand
    > Dim prm As SqlParameter
    > Dim salary As String
    > cmd.CommandText = "select salary from employee where name=@name"
    > prm = New SqlParameter("@name", name.text)
    > cmd.Parameters.Add(prm)
    > salary = cmd.ExecuteNonQuery
    Dominick Baier [DevelopMentor], Aug 8, 2005
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. poppy

    SQL Injection Attacks

    poppy, Nov 2, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    396
    Scott Allen
    Nov 3, 2004
  2. Darrel
    Replies:
    9
    Views:
    3,614
    Steve C. Orr [MVP, MCSD]
    Nov 11, 2004
  3. MattB

    SQL injection

    MattB, Mar 30, 2005, in forum: ASP .Net
    Replies:
    10
    Views:
    688
    Peter Blum
    Mar 31, 2005
  4. Ranginald
    Replies:
    10
    Views:
    857
    Ranginald
    Apr 27, 2006
  5. =?Utf-8?B?c3M=?=

    sample validation code for sql injection attact

    =?Utf-8?B?c3M=?=, May 5, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    623
    =?UTF-8?B?R8O2cmFuIEFuZGVyc3Nvbg==?=
    May 9, 2006
Loading...

Share This Page