I am working on MVC project and i want to prevent sql injection, how can i apply attributes to the Model's properties to avoid invalid input, is there an attributes like allowhtml to attache it to the properties.
Add a comment
|
2 Answers
The easiest way to prevent SQL Injection is by using ORM framework. Entity Framework is great solution. It is also open source: Entity Framework - Codeplex
I think you are talking about XSS (Cross-site scripting). You don't need to worry about that. ASP.NET MVC escapes the html tags by default. Also, if someone wants to post an html tag, The application will crash and tell you something like "Invalid input". If you want the user to be able to post html tags (which are escaped by default), there is an attribute [ValidateInput(false)]. You can put it for the entire controller, or for specific methods in the controller. If you apply it to a method and the method uses a model, All of the string properties of the model will allow html input. I don't think the attribute is applicable for specific model properties only, but you can try.
Comments
In term of the SQL injection, avoid dynamically generate sql querystring (concatenation string input from user) you will be fine. The safest way would be to use a SQL stored procedure (as long as you don't concatenate sql string inside your stored procedure).
XSS attack is a different topic with other technique to prevent.
