locked
SQL Injection RRS feed

  • Question

  • User1310055179 posted

    Hi,

    I was wondering if changing all the queries in my web application to use parameters is a a good enough solution for SQL Injection attack?

    Wednesday, August 29, 2018 6:20 AM

All replies

  • User632428103 posted

    Hello qsoft dev :)

    yes it's enough for me ..read this article it's well explain with few sample 

    https://www.mikesdotnetting.com/article/113/preventing-sql-injection-in-asp-net

    Wednesday, August 29, 2018 8:33 AM
  • Wednesday, August 29, 2018 2:16 PM
  • User753101303 posted

    Hi,

    At least it is a needed first step so start with that.

    Some are going further especially if stored data could be consumed as well from other apps that are not using this particular measure.

    Wednesday, August 29, 2018 2:23 PM
  • User283571144 posted

    Hi qsoft_developer,

    In my opinion, this is not enough.

    To protect your application from SQL injection, perform the following rules:

    • Use parameterized queries (SqlCommand with SqlParameter) and put user input into parameters.
    • Don't build SQL strings out of unchecked user input.
    • Don't assume you can build a sanitizing routine that can check user input for every kind of malformedness. Edge cases are easily forgotten. Checking numeric input may be simple enough to get you on the safe side, but for string input just use parameters.
    • Check for second-level vulnerabilites - don't build SQL query strings out of SQL table values if these values consist of user input.
    • Use stored procedures to encapsulate database operations.

    Best Regards,

    Brando

    Thursday, August 30, 2018 9:59 AM