views:

66

answers:

3

I have a boolean variable value stored in an SQL Server database. This is presented to end users as a checkbox on an ASP.NET webpage. Toggling the checkbox naturally updates the value in the database.

I was about to remove the SQL query that is written in plain text in the C# code behind and replace it with a stored procedure in order to improve security by protecting against SQL injection attacks. My understanding of injection attacks is limited, but surely one could not trigger an attack from an unsecured checkbox input? Or could one?

+1  A: 

Well, as a rule you should always use stored procedures or parameterized sql. Can you do it through the clicking of a checkbox? Really, it all depends on how the code is written. On the surface, I would say no, but there are a large number of possibilities that could affect this.

Remember, the page when it posts is sending essentially a text value to the server. Someone could send a sql injection attack instead of the checkbox value. Now asp.net is pretty good at handling this, but that doesn't mean that if the code is written to bypass the asp.net checking etc. etc. that it couldn't happen.

The one thing I've learned about programming is that every time I think, "This can't be done." generally I am proven wrong. I always take the safest route concerning security.

Kevin
+1  A: 

Hey,

The chance of an attack through the UI is more of a threat with an input field like a textbox than a checkbox per se. It's good to be careful, but using stored procs, and using a command with parameters is one way to handle this type of attack. Or, if you use SQL, make sure you use @parameters for the values, not inject the values directly in the query.

Also encoding values helps overcome some issues.

HTH.

Brian
+1  A: 

ASP.Net by default checks returned values to make sure its getting what it expects. It then enters the value into YourCheckBox.Checked so at that point the returned value would have to be true or false. That's not to say the check box is impenetrable - nobody will say that since there's probably somebody somewhere who could still use it maliciously - but there are probably bigger security risks on the site than the checkbox. I would spend your time looking at textboxes, drop down lists, and the session. You could return to the checkbox if you really feel everything else is completely secure.

Of course if you're just using the HTML checkbox then its not going to check the return value and is therefore less secure. In this case I would suggest changing it to a asp.net checkbox.

Peter