How can I avoid SQL injection attacks in my ASP.NET application?

by

Even though your question is very generic, a few rules always apply:

  • Use parameterized queries (SqlCommand with SqlParameter) and put user input into parameters.
  • Don’t build SQL strings out of unchecked user input.
  • Don’t assume you can build a sanitizing routine that can check user input for every kind of malformedness. Edge cases are easily forgotten. Checking numeric input may be simple enough to get you on the safe side, but for string input just use parameters.
  • Check for second-level vulnerabilites – don’t build SQL query strings out of SQL table values if these values consist of user input.
  • Use stored procedures to encapsulate database operations.

More Related Contents:

  1. Parameterized Queries with LIKE and IN conditions
  2. Does using parameterized SqlCommand make my program immune to SQL injection?
  3. Does this code prevent SQL injection?
  4. User Group and Role Management in .NET with Active Directory
  5. Is Response.End() considered harmful?
  6. SQL Identity (autonumber) is Incremented Even with a Transaction Rollback
  7. How can I get my webapp’s base URL in ASP.NET MVC?
  8. New asp.net charting controls – will they work with MVC (eventually)?
  9. SELECT * FROM X WHERE id IN (…) with Dapper ORM
  10. GZip Compression On IIS 7.5 is not working
  11. Using “GO” within a transaction
  12. Inheritance security rules violated while overriding member – SecurityRuleSet.Level2
  13. Could not find any resources appropriate for the specified culture or the neutral culture
  14. How to create a CheckBoxListFor extension method in ASP.NET MVC?
  15. How to build RUNAS /NETONLY functionality into a (C#/.NET/WinForms) program?
  16. Preventing SQL Injection in ASP.Net
  17. Control.ResolveUrl versus Control.ResolveClientUrl versus VirtualPathUtility.ToAbsolute
  18. ASP.NET MVC 3 Model Binding Resources
  19. FileUpload control inside an UpdatePanel without refreshing the whole page?
  20. How can I create database tables from XSD files?
  21. ASP.NET Web Forms and ASP.NET Web Pages
  22. Is “Code Access Security” of any real world use?
  23. ASP.NET strange compilation error
  24. What’s the different between ASP.NET AJAX pageLoad() and JavaScript window.onload?
  25. Regular expression to find all table names in a query
  26. How to securely store a connection string in a WinForms application?
  27. Memory randomization as application security enhancement?
  28. What does {“d”:””} means in asp.net webservice response
  29. Managing complex Web.Config files between deployment environments
  30. Integrate existing ASP.NET MVC application with Orchard CMS

Leave a Comment