Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > Avoiding SQL Injection with FormView controls

Reply
Thread Tools

Avoiding SQL Injection with FormView controls

 
 
Cirene
Guest
Posts: n/a
 
      05-10-2008
I am using formview controls to insert/update info into my tables.

I'm worried about SQL injection.

How do you recommend I overcome this issue?

In the past I've called a custom cleanup routine like this:
Public Function CleanUpText(ByVal TextToClean As String) As String
TextToClean = TextToClean.Replace(";", ".")
TextToClean = TextToClean.Replace("*", " ")
TextToClean = TextToClean.Replace("=", " ")
TextToClean = TextToClean.Replace("'", " ")
TextToClean = TextToClean.Replace("""", " ")
TextToClean = TextToClean.Replace("1=1", " ")
TextToClean = TextToClean.Replace(">", " ")
TextToClean = TextToClean.Replace("<", " ")
TextToClean = TextToClean.Replace("<>", " ")
TextToClean = TextToClean.Replace("null", " ")
TextToClean = TextToClean.Replace("delete", "_delete")
TextToClean = TextToClean.Replace("remove", "_remove")
TextToClean = TextToClean.Replace("copy", "_copy")
TextToClean = TextToClean.Replace("table", "_table")
TextToClean = TextToClean.Replace("drop", "_drop")
TextToClean = TextToClean.Replace("select", "_select")
TextToClean = TextToClean.Replace("user", "_user")
TextToClean = TextToClean.Replace("create", "_create")

Return TextToClean
End Function

What do you think of this method? Is it cludgey???


 
Reply With Quote
 
 
 
 
Lloyd Sheen
Guest
Posts: n/a
 
      05-10-2008

"Cirene" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am using formview controls to insert/update info into my tables.
>
> I'm worried about SQL injection.
>
> How do you recommend I overcome this issue?
>
> In the past I've called a custom cleanup routine like this:
> Public Function CleanUpText(ByVal TextToClean As String) As String
> TextToClean = TextToClean.Replace(";", ".")
> TextToClean = TextToClean.Replace("*", " ")
> TextToClean = TextToClean.Replace("=", " ")
> TextToClean = TextToClean.Replace("'", " ")
> TextToClean = TextToClean.Replace("""", " ")
> TextToClean = TextToClean.Replace("1=1", " ")
> TextToClean = TextToClean.Replace(">", " ")
> TextToClean = TextToClean.Replace("<", " ")
> TextToClean = TextToClean.Replace("<>", " ")
> TextToClean = TextToClean.Replace("null", " ")
> TextToClean = TextToClean.Replace("delete", "_delete")
> TextToClean = TextToClean.Replace("remove", "_remove")
> TextToClean = TextToClean.Replace("copy", "_copy")
> TextToClean = TextToClean.Replace("table", "_table")
> TextToClean = TextToClean.Replace("drop", "_drop")
> TextToClean = TextToClean.Replace("select", "_select")
> TextToClean = TextToClean.Replace("user", "_user")
> TextToClean = TextToClean.Replace("create", "_create")
>
> Return TextToClean
> End Function
>
> What do you think of this method? Is it cludgey???
>
>


If you want to avoid SQL injection use parameters.

LS

 
Reply With Quote
 
 
 
 
Alex Meleta
Guest
Posts: n/a
 
      05-10-2008
Hi Cirene,

There's how to prevent it - http://msdn.microsoft.com/en-us/library/ms998271.aspx

And with agreement of Lloyd, what is your function for?

Regards, Alex



C> I am using formview controls to insert/update info into my tables.
C>
C> I'm worried about SQL injection.
C>
C> How do you recommend I overcome this issue?
C>
C> In the past I've called a custom cleanup routine like this:
C> Public Function CleanUpText(ByVal TextToClean As String) As
C> String
C> TextToClean = TextToClean.Replace(";", ".")
C> TextToClean = TextToClean.Replace("*", " ")
C> TextToClean = TextToClean.Replace("=", " ")
C> TextToClean = TextToClean.Replace("'", " ")
C> TextToClean = TextToClean.Replace("""", " ")
C> TextToClean = TextToClean.Replace("1=1", " ")
C> TextToClean = TextToClean.Replace(">", " ")
C> TextToClean = TextToClean.Replace("<", " ")
C> TextToClean = TextToClean.Replace("<>", " ")
C> TextToClean = TextToClean.Replace("null", " ")
C> TextToClean = TextToClean.Replace("delete", "_delete")
C> TextToClean = TextToClean.Replace("remove", "_remove")
C> TextToClean = TextToClean.Replace("copy", "_copy")
C> TextToClean = TextToClean.Replace("table", "_table")
C> TextToClean = TextToClean.Replace("drop", "_drop")
C> TextToClean = TextToClean.Replace("select", "_select")
C> TextToClean = TextToClean.Replace("user", "_user")
C> TextToClean = TextToClean.Replace("create", "_create")
C> Return TextToClean
C> End Function
C> What do you think of this method? Is it cludgey???
C>


 
Reply With Quote
 
Milosz Skalecki [MCAD]
Guest
Posts: n/a
 
      05-10-2008
Hi Cirene,

You don't need to waste your time writing "CleanUpText" like methods, use
parameters instead as they take care of sql injection internally (one of many
adventages of using parameters):

using (SqlConnection connection = new SqlConnection(ConnectionString))
{
using (SqlCommand command = new SqlCommand("SELECT * FROM Table WHERE Id
= @Id", connection))
{
command.Parameters.Add("@Id", SqlDbType.Int).Value = 1;
connection.Open();

using (SqlDataReader reader = command.ExecuteReader())
{
while (reader.Read())
{
int value1 = (int) reader["Column1"];
// etc.
}
}
}
}

HTH
--
Milosz


"Cirene" wrote:

> I am using formview controls to insert/update info into my tables.
>
> I'm worried about SQL injection.
>
> How do you recommend I overcome this issue?
>
> In the past I've called a custom cleanup routine like this:
> Public Function CleanUpText(ByVal TextToClean As String) As String
> TextToClean = TextToClean.Replace(";", ".")
> TextToClean = TextToClean.Replace("*", " ")
> TextToClean = TextToClean.Replace("=", " ")
> TextToClean = TextToClean.Replace("'", " ")
> TextToClean = TextToClean.Replace("""", " ")
> TextToClean = TextToClean.Replace("1=1", " ")
> TextToClean = TextToClean.Replace(">", " ")
> TextToClean = TextToClean.Replace("<", " ")
> TextToClean = TextToClean.Replace("<>", " ")
> TextToClean = TextToClean.Replace("null", " ")
> TextToClean = TextToClean.Replace("delete", "_delete")
> TextToClean = TextToClean.Replace("remove", "_remove")
> TextToClean = TextToClean.Replace("copy", "_copy")
> TextToClean = TextToClean.Replace("table", "_table")
> TextToClean = TextToClean.Replace("drop", "_drop")
> TextToClean = TextToClean.Replace("select", "_select")
> TextToClean = TextToClean.Replace("user", "_user")
> TextToClean = TextToClean.Replace("create", "_create")
>
> Return TextToClean
> End Function
>
> What do you think of this method? Is it cludgey???
>
>
>

 
Reply With Quote
 
jaems
Guest
Posts: n/a
 
      05-11-2008

So how exactly does using parameters prevent injection - ie what does the
code in command.Parameters.Add do?

Jaez


"Cirene" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
>I am using formview controls to insert/update info into my tables.
>
> I'm worried about SQL injection.
>
> How do you recommend I overcome this issue?
>
> In the past I've called a custom cleanup routine like this:
> Public Function CleanUpText(ByVal TextToClean As String) As String
> TextToClean = TextToClean.Replace(";", ".")
> TextToClean = TextToClean.Replace("*", " ")
> TextToClean = TextToClean.Replace("=", " ")
> TextToClean = TextToClean.Replace("'", " ")
> TextToClean = TextToClean.Replace("""", " ")
> TextToClean = TextToClean.Replace("1=1", " ")
> TextToClean = TextToClean.Replace(">", " ")
> TextToClean = TextToClean.Replace("<", " ")
> TextToClean = TextToClean.Replace("<>", " ")
> TextToClean = TextToClean.Replace("null", " ")
> TextToClean = TextToClean.Replace("delete", "_delete")
> TextToClean = TextToClean.Replace("remove", "_remove")
> TextToClean = TextToClean.Replace("copy", "_copy")
> TextToClean = TextToClean.Replace("table", "_table")
> TextToClean = TextToClean.Replace("drop", "_drop")
> TextToClean = TextToClean.Replace("select", "_select")
> TextToClean = TextToClean.Replace("user", "_user")
> TextToClean = TextToClean.Replace("create", "_create")
>
> Return TextToClean
> End Function
>
> What do you think of this method? Is it cludgey???
>
>


 
Reply With Quote
 
Cirene
Guest
Posts: n/a
 
      05-12-2008
Is the "automatic" way (using the GUI) just as safe as stored proc, or
should I validate extra to be safe? (Ex: Drop gridview on form, create SQL
Data Source wtih the wizard, etc...)

"Milosz Skalecki [MCAD]" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi Cirene,
>
> You don't need to waste your time writing "CleanUpText" like methods, use
> parameters instead as they take care of sql injection internally (one of
> many
> adventages of using parameters):
>
> using (SqlConnection connection = new SqlConnection(ConnectionString))
> {
> using (SqlCommand command = new SqlCommand("SELECT * FROM Table WHERE
> Id
> = @Id", connection))
> {
> command.Parameters.Add("@Id", SqlDbType.Int).Value = 1;
> connection.Open();
>
> using (SqlDataReader reader = command.ExecuteReader())
> {
> while (reader.Read())
> {
> int value1 = (int) reader["Column1"];
> // etc.
> }
> }
> }
> }
>
> HTH
> --
> Milosz
>
>
> "Cirene" wrote:
>
>> I am using formview controls to insert/update info into my tables.
>>
>> I'm worried about SQL injection.
>>
>> How do you recommend I overcome this issue?
>>
>> In the past I've called a custom cleanup routine like this:
>> Public Function CleanUpText(ByVal TextToClean As String) As String
>> TextToClean = TextToClean.Replace(";", ".")
>> TextToClean = TextToClean.Replace("*", " ")
>> TextToClean = TextToClean.Replace("=", " ")
>> TextToClean = TextToClean.Replace("'", " ")
>> TextToClean = TextToClean.Replace("""", " ")
>> TextToClean = TextToClean.Replace("1=1", " ")
>> TextToClean = TextToClean.Replace(">", " ")
>> TextToClean = TextToClean.Replace("<", " ")
>> TextToClean = TextToClean.Replace("<>", " ")
>> TextToClean = TextToClean.Replace("null", " ")
>> TextToClean = TextToClean.Replace("delete", "_delete")
>> TextToClean = TextToClean.Replace("remove", "_remove")
>> TextToClean = TextToClean.Replace("copy", "_copy")
>> TextToClean = TextToClean.Replace("table", "_table")
>> TextToClean = TextToClean.Replace("drop", "_drop")
>> TextToClean = TextToClean.Replace("select", "_select")
>> TextToClean = TextToClean.Replace("user", "_user")
>> TextToClean = TextToClean.Replace("create", "_create")
>>
>> Return TextToClean
>> End Function
>>
>> What do you think of this method? Is it cludgey???
>>
>>
>>



 
Reply With Quote
 
Paul Shapiro
Guest
Posts: n/a
 
      05-12-2008
Parameters protect against sql injection because the parameter value is
passed to the sql server. The server uses the parameter value directly when
processing the query, and does not just substitute the parameter into the
sql statement text. Data values that would enable sql injection will instead
either cause query errors or where clause matching failure.

"jaems" <(E-Mail Removed)> wrote in message
news:ipJVj.10905$(E-Mail Removed)2...
>
> So how exactly does using parameters prevent injection - ie what does the
> code in command.Parameters.Add do?
>
> Jaez
>
>
> "Cirene" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>>I am using formview controls to insert/update info into my tables.
>>
>> I'm worried about SQL injection.
>>
>> How do you recommend I overcome this issue?
>>
>> In the past I've called a custom cleanup routine like this:
>> Public Function CleanUpText(ByVal TextToClean As String) As String
>> TextToClean = TextToClean.Replace(";", ".")
>> TextToClean = TextToClean.Replace("*", " ")
>> TextToClean = TextToClean.Replace("=", " ")
>> TextToClean = TextToClean.Replace("'", " ")
>> TextToClean = TextToClean.Replace("""", " ")
>> TextToClean = TextToClean.Replace("1=1", " ")
>> TextToClean = TextToClean.Replace(">", " ")
>> TextToClean = TextToClean.Replace("<", " ")
>> TextToClean = TextToClean.Replace("<>", " ")
>> TextToClean = TextToClean.Replace("null", " ")
>> TextToClean = TextToClean.Replace("delete", "_delete")
>> TextToClean = TextToClean.Replace("remove", "_remove")
>> TextToClean = TextToClean.Replace("copy", "_copy")
>> TextToClean = TextToClean.Replace("table", "_table")
>> TextToClean = TextToClean.Replace("drop", "_drop")
>> TextToClean = TextToClean.Replace("select", "_select")
>> TextToClean = TextToClean.Replace("user", "_user")
>> TextToClean = TextToClean.Replace("create", "_create")
>>
>> Return TextToClean
>> End Function
>>
>> What do you think of this method? Is it cludgey???


 
Reply With Quote
 
Milosz Skalecki [MCAD]
Guest
Posts: n/a
 
      05-12-2008
Hi there,

Usually you use gridview, and formview in conjunction with SqlDataSource
which employs Parameters internally.

Regards
--
Milosz


"Cirene" wrote:

> Is the "automatic" way (using the GUI) just as safe as stored proc, or
> should I validate extra to be safe? (Ex: Drop gridview on form, create SQL
> Data Source wtih the wizard, etc...)
>
> "Milosz Skalecki [MCAD]" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Hi Cirene,
> >
> > You don't need to waste your time writing "CleanUpText" like methods, use
> > parameters instead as they take care of sql injection internally (one of
> > many
> > adventages of using parameters):
> >
> > using (SqlConnection connection = new SqlConnection(ConnectionString))
> > {
> > using (SqlCommand command = new SqlCommand("SELECT * FROM Table WHERE
> > Id
> > = @Id", connection))
> > {
> > command.Parameters.Add("@Id", SqlDbType.Int).Value = 1;
> > connection.Open();
> >
> > using (SqlDataReader reader = command.ExecuteReader())
> > {
> > while (reader.Read())
> > {
> > int value1 = (int) reader["Column1"];
> > // etc.
> > }
> > }
> > }
> > }
> >
> > HTH
> > --
> > Milosz
> >
> >
> > "Cirene" wrote:
> >
> >> I am using formview controls to insert/update info into my tables.
> >>
> >> I'm worried about SQL injection.
> >>
> >> How do you recommend I overcome this issue?
> >>
> >> In the past I've called a custom cleanup routine like this:
> >> Public Function CleanUpText(ByVal TextToClean As String) As String
> >> TextToClean = TextToClean.Replace(";", ".")
> >> TextToClean = TextToClean.Replace("*", " ")
> >> TextToClean = TextToClean.Replace("=", " ")
> >> TextToClean = TextToClean.Replace("'", " ")
> >> TextToClean = TextToClean.Replace("""", " ")
> >> TextToClean = TextToClean.Replace("1=1", " ")
> >> TextToClean = TextToClean.Replace(">", " ")
> >> TextToClean = TextToClean.Replace("<", " ")
> >> TextToClean = TextToClean.Replace("<>", " ")
> >> TextToClean = TextToClean.Replace("null", " ")
> >> TextToClean = TextToClean.Replace("delete", "_delete")
> >> TextToClean = TextToClean.Replace("remove", "_remove")
> >> TextToClean = TextToClean.Replace("copy", "_copy")
> >> TextToClean = TextToClean.Replace("table", "_table")
> >> TextToClean = TextToClean.Replace("drop", "_drop")
> >> TextToClean = TextToClean.Replace("select", "_select")
> >> TextToClean = TextToClean.Replace("user", "_user")
> >> TextToClean = TextToClean.Replace("create", "_create")
> >>
> >> Return TextToClean
> >> End Function
> >>
> >> What do you think of this method? Is it cludgey???
> >>
> >>
> >>

>
>
>

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sample validation code for sql injection attact =?Utf-8?B?c3M=?= ASP .Net 4 05-09-2006 08:27 AM
Help SQL Injection Attack Question - newbie to web security Ranginald ASP .Net 10 04-27-2006 12:53 AM
SQL injection MattB ASP .Net 10 03-31-2005 05:57 PM
Protecting SQL injection attacks (text input functino) Darrel ASP .Net 9 11-11-2004 08:39 PM
SQL Injection Attacks poppy ASP .Net 4 11-03-2004 05:56 AM



Advertisments