Re: SQL Injection Prevention

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Valery Pryamikov (Valery_at_nospam.harper.no)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 10:07:52 +0200

Hi,
you may also check this my blog post:
http://www.harper.no/valery/PermaLink,guid,fe323df8-c0a3-435e-bcc8-ead99600c04e.aspx

-Valery.
http://www.harper.no/valery

"Shabam" <blislecp@hotmail.com> wrote in message
news:fPKdnQeVlOhLjsTcRVn-vw@adelphia.com...
I've read a few articles on ways to prevent SQL injection. I'd like your
opinion as to which is better. Or, if there's another way I've not heard
of, please suggest it. Thanks!

#1.
http://www.sitepoint.com/article/sql-injection-attacks-safe/5

Run user input through a function which strips quotes, so that user input of
"' or 1=1 --'" (minus the outside double quotes) turns into "'' or 1=1 --'".
Also, strip any user input that contains "select", "drop", ";", "--",
"insert", "delete", or "xp_".

Downside here is obviously that users will no longer be able to enter such
characters in the application.

#2.
http://www.uberasp.net/getarticle.aspx?id=46

Use parametized SQL queries. This seems to me to be a better and more
elegant solution, as you don't have to actively look for strings to watch
for, and also, frequent use of them gives you the same benefit as with
stored procedures (only if the same parameters are re-used).

SqlConnection objConnection = new SqlConnection(_ConnectionString);
objConnection.Open();
SqlCommand objCommand = new SqlCommand(
   "SELECT * FROM User WHERE Name = @Name AND Password = @Password",
   objConnection);
objCommand.Parameters.Add("@Name", NameTextBox.Text);
objCommand.Parameters.Add("@Password", PasswordTextBox.Text);
SqlDataReader objReader = objCommand.ExecuteReader();
if (objReader.Read())
{
 ...

Relevant Pages

  • Re: SQL Injection Prevention
    ... I've read a few articles on ways to prevent SQL injection. ... Run user input through a function which strips quotes, ... SqlConnection objConnection = new SqlConnection; ... SqlCommand objCommand = new SqlCommand( ...
    (microsoft.public.dotnet.security)
  • SQL Injection Prevention
    ... I've read a few articles on ways to prevent SQL injection. ... I'd like your opinion as to which is better. ... SqlConnection objConnection = new SqlConnection; ... SqlCommand objCommand = new SqlCommand( ...
    (microsoft.public.dotnet.security)
  • SQL Injection Prevention
    ... I've read a few articles on ways to prevent SQL injection. ... I'd like your opinion as to which is better. ... SqlConnection objConnection = new SqlConnection; ... SqlCommand objCommand = new SqlCommand( ...
    (microsoft.public.sqlserver.server)
  • [Full-disclosure] FW: Introducing a new generic approach to detecting SQL injection
    ... Normally when valid input is present, this gives legal SQL that does something. ... However when there is SQL injection, generally you see the user input piece ... If you try to parse this with the user input and it comes out to be valid and ok to ... is at any rate different from character filters and could make apps a bit safer. ...
    (Full-Disclosure)
  • RE: [Full-disclosure] FW: Introducing a new generic approach todetecting SQL injection
    ... If the attacker uses an injection string that creates an always-false ... blocking SQL injection with filters on characters is painful ... However when there is SQL injection, generally you see the user input piece ... with and that an attack is going on. ...
    (Full-Disclosure)