Suggestions to prevent VICIOUS data input?

VB Programmer · Feb 2, 2006

Using ASP.NET 2.0/SQL Express....

In places where I allow data input by users (sign up forms, comments,
etc...) do I need to manually safeguard my site against vicious attacks (SQL
injection, etc...)? Should I just run all input thru a filter that removes
all special characters, like asterick, semicolon, etc...? Or, is this
handled internally so I don't have to worry about it? Any suggestions?

Thanks.

john smith · Feb 2, 2006

VB said:
Using ASP.NET 2.0/SQL Express....

In places where I allow data input by users (sign up forms, comments,
etc...) do I need to manually safeguard my site against vicious attacks (SQL
injection, etc...)? Should I just run all input thru a filter that removes
all special characters, like asterick, semicolon, etc...? Or, is this
handled internally so I don't have to worry about it? Any suggestions?

Thanks.

It depends... You can validate your form entries with regular
expressions (client side AND server side) and the like. Other than that,
the main thing is using parameterized queries - *NOT* string
concatenation to make your SQL queries (that's really asking for
trouble). That would be a good start

ASP.NET also does protect you to
some extent.

Damien · Feb 2, 2006

john said:
It depends... You can validate your form entries with regular
expressions (client side AND server side) and the like. Other than that,
the main thing is using parameterized queries - *NOT* string
concatenation to make your SQL queries (that's really asking for
trouble). That would be a good start ASP.NET also does protect you to
some extent.

What he said ^

Also, when using regular expressions, look for GOOD input, and reject
anything that doesn't match. Doing it the other way around, you're
bound to miss something...

Damien

Peter Blum · Feb 2, 2006

Hi, as part of your research, you should investigate a product I wrote that
handles SQL Injection and Cross Site Scripting attacks. It is VAM: Visual
Input Security. (http://www.peterblum.com/vise/home.aspx)

--- Peter Blum
www.PeterBlum.com
Email: (e-mail address removed)
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx

Asp.net Important Topics.	0	Jan 18, 2007
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ)	0	Jan 12, 2008
2.0 auth questions	3	Nov 1, 2006
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ)	0	May 1, 2007
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ)	0	Feb 15, 2007
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ)	0	Jan 15, 2007
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ)	0	Jul 1, 2006
comp.lang.c Answers (Abridged) to Frequently Asked Questions (FAQ)	0	Mar 1, 2008

Suggestions to prevent VICIOUS data input?

VB Programmer

john smith

Damien

Peter Blum

Ask a Question

Similar Threads

Members online

Forum statistics

Latest Threads