SQL injections and .NET 4

Question

Is there instruments in .NET 4 to "automatize" verifications of SQL fields against SQL injections?

I saw this article, but afraid could be not to date...

EDIT:
Oracle Db compatible...

Answer 1

I believe you avoid the problem by using sqlparameters.

Answer 2

The simplest instrument in ADO.NET is to use sql parameters for all your query values that are variable. This also has an efficiency advantage. Even if you have explicit sql in your code and are not using stored procedures or functions at all, you still gain both of these advantages by using the same query string while varying only the values of your parameters.

There may be times (with search engines for example) when you really need to construct your sql command text dynamically, without being able to use sql parameters . This is unfortunate, because the other ways of protecting yourself against sql injection (various kinds of sanitizing and keyword blacklists) are more involved and require you to be thoughtful and clever. Try to avoid this!

Answer 3

Is this an "ADO.NET" question? If it is then yeah SQLParameters are your friend. Scott Gu's article on the subject is old but still quite useful and has good advice.

http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

If you're not using ADO.NET then most ORMs will protect against attacks for you. LLBLGen for example generates parametized queries. As does Linq to SQL. I'm guessing that they all do, although check with your flavour of ORM :)

Answer 4

For me, the simplest means is to use Linq2Sql to query the database. It wasn't mentioned in the article because it didn't exist. You could also use Entity Framework as well. It offers more power with a bit higher learning curve. There are plenty of other ORMs and most (perhaps all but I don't know) will protect you against SQL injection. The other nice thing is that the ORM takes care of creating an object from the result.