I'm developing an ASP.NET MVC 3 app and need a way around SQL injections, something simple would be useful. I have followed Microsoft's article on the matter but it doesn't seem to match up with my code and structure.
Any help is greatly appreciated
-
simple...always use SQL parameters whenever you build a statement with user input.dotjoe– dotjoe2011-04-28 15:25:47 +00:00Commented Apr 28, 2011 at 15:25
-
not that simple though - one could misuse this and use parameters which then in turn get put into dynamic sql on the server side in a proc.Adam Tuliper– Adam Tuliper2011-04-28 15:27:17 +00:00Commented Apr 28, 2011 at 15:27
-
@Adam Tuliper then they didn't use SQL parameters everywhere (including stored procedures).dotjoe– dotjoe2011-04-28 16:19:25 +00:00Commented Apr 28, 2011 at 16:19
-
true true, I just want to clarify just having them going into say a proc - doesn't fully protect you if you misuse them inside of the procAdam Tuliper– Adam Tuliper2011-04-28 16:32:03 +00:00Commented Apr 28, 2011 at 16:32
Add a comment
|
1 Answer
To prevent sql injection:
Do not form any dynamic sql.
- Use stored procedures (and do not include any dynamic sql in a stored proc - if you do make sure you use sp_executesql and not exec, as sp_executesql can take a parameterized query
- use parameterized queries
- use an ORM (ex. entity framework) which uses parameterized queries behind the scenes anyways.
try not to use any dynamic sql - if you must for some reason then make sure you use parameterized queries.
Don't just simply use dynamic sql and remove quotes from them - its a bit dangerous to assume that would be the only attack vector as some do.
