I'll use a select in asp.net page which i.e:
string name=TexBox1.Text;
string pas=TextBox2.Text;
string c="select * from users where name='"+name+"' and password ='"+pas+"'";
İs there any methods to preventing sql injections.
-
7Use prepared statements.Peter Wooster– Peter Wooster2013-04-24 12:33:16 +00:00Commented Apr 24, 2013 at 12:33
-
can you give an examp.Selçuklu Ebrar– Selçuklu Ebrar2013-04-24 12:35:01 +00:00Commented Apr 24, 2013 at 12:35
-
2Also, never store the password itself in the database. Always use a hash of the password with added salt, probably using Oracle's DBMS_CRYPTO PL/SQL package. See stackoverflow.com/questions/8339107/…Eric Jablow– Eric Jablow2013-04-24 12:39:19 +00:00Commented Apr 24, 2013 at 12:39
-
1Microsoft article on prepared statementsPeter Wooster– Peter Wooster2013-04-24 12:40:01 +00:00Commented Apr 24, 2013 at 12:40
-
Hash is always tasty, especially with a little salt :)Peter Wooster– Peter Wooster2013-04-24 12:42:03 +00:00Commented Apr 24, 2013 at 12:42
|
Show 1 more comment
1 Answer
First, you must validate the input data in your code and then use it like parameters.. because if occurs an unhandled exception and you are returning sensitive data like "connection strings" you are giving usefull information like "Column" and "Table"names and that is dangerous. Second, add a "Data Access Layer" to handle your code not in "Code Behind". You can use "Store Procedures" and call them from your code, using this way you hide the query of the programming logic and only pass parameters to the store preocedure and he do the job and you only return the error in the case that a exception occurs.
This preventions are the basics in a small application but exists many others way to avoid SQL Injections.
2 Comments
Selçuklu Ebrar
I'm working with important datas,so I will use hashing or other powerfull methods,thank for your idea,sorry I bought your time
Max Becerra
Hashing is only for passwords if any error occurs you´re returning sensitive data like table and column names and that is SQL Injection. I recommend that you validate the input if you not have time to avoid sql injection, hope this help ;-)