Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > SQL Injection

Reply
Thread Tools

SQL Injection

 
 
A.M
Guest
Posts: n/a
 
      01-21-2004
Hi,

I have to check all textboxes in my web application for SQL injection.
Is there any ready product that detect SQL inhection patterns?
A regular expression also would be helpfull.

Any help would be apprecited,
Ali


 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      01-21-2004
It seems to me you would want to do two things here as there are two
different problems:

Check all of your SQL code to ensure that you are using parameterized
queries
Verify that your input contains only valid input based on what is being
requested

Parameterized queries in ADO.NET will prevent SQL injection attacks. If you
are building queries by creating SQL strings on the fly, then you should
concentrate on fixing that first. You can still use parameterized queries
without stored procedures if you don't want to or can't use them.

The next thing you want to do is ensure that your input conforms to what it
should be. This will help prevent all sorts of other attacks besides SQL
injection such as Cross Site Scripting.

Validating input should be done based on what is allowed, not based on what
is not allowed, so trying to look for signs of SQL injection in your inputs
is the wrong way to go.

Regular expressions are excellent tools for validating input, but they are
"domain dependent", meaning that no one regular expression can validate any
random text. It depends on what is required.

http://www.regexlib.com/ is an excellent source of regular expressions,
especially for .NET.

The bottom line is that you need to carefully validate input AND make sure
your database code is not suceptible to SQL injection. You shouldn't just
do one or the other. Read "Writing Secure Code" and/or the "Code Secure"
column on MSDN for more info.

HTH,

Joe K.

"A.M" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
>
> I have to check all textboxes in my web application for SQL injection.
> Is there any ready product that detect SQL inhection patterns?
> A regular expression also would be helpfull.
>
> Any help would be apprecited,
> Ali
>
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sample validation code for sql injection attact =?Utf-8?B?c3M=?= ASP .Net 4 05-09-2006 08:27 AM
Help SQL Injection Attack Question - newbie to web security Ranginald ASP .Net 10 04-27-2006 12:53 AM
SQL injection MattB ASP .Net 10 03-31-2005 05:57 PM
Protecting SQL injection attacks (text input functino) Darrel ASP .Net 9 11-11-2004 08:39 PM
SQL Injection Attacks poppy ASP .Net 4 11-03-2004 05:56 AM



Advertisments