I need to avoid being vulnerable to SQL injection in my ASP.NET application. How might I accomplish this?
A:
Try to use Stored Procedures, and validate the input on your data. Do not use any direct SQL like INSERT INTO ...
MysticSlayer
2008-11-20 11:52:39
Stored Procedures have nothing to do with it, you can execute a SP in an insecure way by not parameterizing the call.
Flory
2008-11-20 16:39:00
+14
A:
Use Prepared Statements (link to an ASP.NET tutorial that uses prepared statements in the 'To add nodes for products' section). that's all there is to it.
Well, that or use an ORM, like Linq to SQL or NHibernate, they internally use prepared statements.
Vinko Vrsalovic
2008-11-20 11:57:59
+12
A:
Even though your question is very generic, a few rules always apply:
- Use parameterized queries (
SqlCommandwithSqlParameter) and put user input into parameters. - Don't build SQL strings out of unchecked user input.
- Don't assume you can build a sanitizing routine that can check user input for every kind of malformedness. Edge cases are easily forgotten. Checking numeric input may be simple enough to get you on the safe side, but for string input just use parameters.
- Check for second-level vulnerabilites - don't build SQL query strings out of SQL table values if these values consist of user input.
- Use stored procedures to encapsulate database operations.
Tomalak
2008-11-20 12:03:06
All of those, except maybe the last one, are implied by the first one (if all your input is properly escaped, always, by the use of prepared statements (or parameterized queries)), no? Or you think there are subtle differences?
Vinko Vrsalovic
2008-11-20 12:16:09
No. But someone who asks these kinds of questions very likely has no firm understanding of the implications. Making them explicit is supporting comprehension. As your experience and abilities to abstract rise, you won't need the explicitness, and you're not likely to ask such questions anymore.
Tomalak
2008-11-20 14:14:12
This is a good answer, but I feel that "Use stored procedures to encapsulate database operations" is misleading. Parameterized dynamic SQL is just as safe as parameterized stored procedures. Maybe you should make that more implicit in your answer for clarity's sake.
Daniel Auger
2009-08-06 20:08:00
@Daniel: Parameterizes queries as used with `SqlCommand`, are to be used if the developer has not much control or expertise in the database technical stuff. Creating stored procedures in the database is not straight forward if you are a plain C# developer and not DBA. Using stored procedures is a good way to do it if the DBA(s) wants to do it in order to encapsulate complexity for the C# developers.
awe
2009-11-02 07:25:41
@Vinko: I agree. The answer could be made better by splitting up in 2 sections: First the points 2-4 as answer to what you need to consider, and then points 1 and 5 as possible solutions on how to solve the issues pointed out.
awe
2009-11-02 07:31:10
+4
A:
SQL injection occurs because the query to the database is being constructed in real time, EG "SELECT * From Table1 WHERE " + UserInput.
UserInput may be malicious and contain other statements that you do not intend.
To avoid it, you need to avoid concatenating your query together.
You can accomplish this by using parametrized queries - check out the DBCommand object for your particular DB flavor.
Brian Schmitt
2008-11-20 14:10:06
+8
A:
Use parameters! It really is that simple :-)
Create your queries like this (for MS Sql server with C#):
SqlCommand getPersons = new SqlCommand("SELECT * FROM Table WHERE Name = @Name", conn);
Here @Name is the parameter where you want to avoid sql injection and conn is an SqlConnection object. Then to add the parameter value you do the following:
getPersons.Parameters.AddWithValue("@Name", theName);
Here theName is a variable that contains the name you are searching for.
Now it should be impossible to do any sql injections on that query.
Since it is this simple there is no reason not to use parameters.
Rune Grimstad
2008-11-20 14:18:04
+1
A:
Hopefully, this will help:
http://www.codersbarn.com/post/2008/11/01/ASPNET-Data-Input-Validation.aspx
The short answer is to use parameterized queries.
Anthony :-) www.codersbarn.com
IrishChieftain
2008-12-01 05:26:59
+3
A:
Scott Guthrie posted a decent little article about this a while back. In it, he offers 5 suggestions for protecting yourself:
Don't construct dynamic SQL Statements without using a type-safe parameter encoding mechanism. [...]
Always conduct a security review of your application before ever put it in production, and establish a formal security process to review all code anytime you make updates. [...]
Never store sensitive data in clear-text within a database. [...]
Ensure you write automation unit tests that specifically verify your data access layer and application against SQL Injection attacks. [...]
Lock down your database to only grant the web application accessing it the minimal set of permissions that it needs to function. [...]
He does a decent job of explaining why these are important, and links to several other resources as well...
Max
2009-08-06 07:46:26
+2
A:
NEVER trust user input, always validate it, and use sql parameters. Should be enough basis to prevent SQL injection.
James
2009-08-06 07:48:08
A:
Understand what exactly SQL Injection is and then never write anything that is vulnerable to it.
Robin Day
2009-08-06 07:48:54
+2
A:
Use parametrized queries and/or stored procedures and parse your parameters via SQL parameters. Never generate SQL code by concatenating strings. Also do some reading about SQL injection and about writing secure code, because preventing SQL injection is only a small part of security. There is many more (like XSS - Cross Site Scripting). If a hacker wants to compromise your site/application he will look for more then only SQL injection.
Gertjan
2009-08-06 07:52:11
+7
A:
Never trust user input - Validate all textbox entries using validation controls, regular expressions, code, and so on
Never use dynamic SQL - Use parameterized SQL or stored procedures
Never connect to a database using an admin-level account - Use a limited access account to connect to the database
Don't store secrets in plain text - Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings
Exceptions should divulge minimal information - Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false
Useful link on MSDN Stop SQL Injection
kevchadders
2009-08-06 07:58:28
Good answer, but, I disagree with "Never use dynamic SQL". Dynamic SQL is a very generic term and can be very powerful and there are many cases where it should be used. Your point should just be pass variable data as parameters.
Robin Day
2009-08-06 09:58:52
Aye Robin, I agree Dynamic SQL can be very useful and there are some good cases where it should be used, by my points where based solely on the interaction with a user in the outside world, to stop them injecting SQL. For example, a SQL statements constructed by the concatenation of SQL with user-entered values.
kevchadders
2009-08-06 10:20:48
hmm I just got -1 vote as well as a number of posts below me bumping us all down? (all by the same user maybe??)
kevchadders
2009-08-07 14:52:07
A:
As others have said, don't concatenate user input to create dynamic sql statements; always use parameterized SQL when using dynamic SQL. However I will point out that this rule also applies when creating dynamic sql inside of a stored proc. This fact is something people often overlook. They think they are safe because they are "using stored procedures."
Daniel Auger
2009-08-06 19:58:18