I've got fields that are free-form text and allow just about any combination of numbers/symbols. What's the best way to validate these to prevent SQL Injection? Can I run a simple replace of tick marks? Is there a method out there I can plug in to use?
+8
A:
Just use parameterized queries! Check out this article here: http://www.functionx.com/aspnet/sqlserver/parameterized.htm
Erich
2009-11-30 21:32:20
Parameterized queries are a line of defense, but you can still use them and leave yourself vulnerable.Check out this article: http://www.owasp.org/index.php/Guide_to_SQL_Injectionand bookmark the OWASP site for all of your security questions. It's a very good place to learn.
David Stratton
2009-11-30 21:44:59
@David: as far as I know, the only potential problem with parameterized queries or stored procedures is if you use dynamic SQL. "So, don't _do_ that!".
John Saunders
2010-03-04 18:55:49
@John Saunders - Absolutely! I just like to refer just about everyone with a security question to the OWASP site. For now it's the most comprehensive resource I've found on the topic.
David Stratton
2010-03-04 21:48:13
+1
A:
There are various methods outlined here: How To: Protect From SQL Injection in ASP.NET
quote:
Countermeasures include using a list of acceptable characters to constrain input, using parameterized SQL for data access, and using a least privileged account that has restricted permissions in the database. Using stored procedures with parameterized SQL is the recommended approach because SQL parameters are type safe. Type-safe SQL parameters can also be used with dynamic SQL. In situations where parameterized SQL cannot be used, consider using character escaping techniques.
Validation controls can help, though run them server side, not client side. ASP.NET does have some protection built in also, but I wouldn't rely on it alone.
tjmoore
2009-11-30 22:57:04