Category Archives: Security

Security development and practice in the .NET language types

Prevent SQL Injection Attack With .NET

There has been a large stir recently with how to prevent SQL injection attacks with .NET.  Huge rumors are flying about viruses because of the nuclear incident that happened in Iran.  Just to be clear, regardless of how secure any site is there is a likelihood that you can be hacked.  The best we can do is prevent as much as possible so that it takes someone who is really good to do it.  At that point you are dealing with a security expert and likely they will just want you to pay them for the information.  Back on to the subject, to solve our security problem we must first ask ourselves, what is a SQL injection?  SQL injections are a trick that hackers use to execute malicious SQL scripts on your server.

Our main goal is not to take away functionality, but to prevent SQL injection attacks

Let’s say you have a login form, and you ask for a username and password.  You have a text box bound to both fields and when they hit a Login button your form code selects from the user table where user name is equal to the User text box.  The SQL might look something like this:

SELECT UserId, UserName,Password FROM Users
WHERE UserName = '" + txtUserName.Text + "'

prevent sql injection attacks
This is where a hacker can come in and where we need to prevent SQL injection attacks.  The user name a hacker would fill out would be something like this:

'; DROP DATABASE myWebApp --

When your code executes it will send a drop database command to your server destroying all of your data.  This is likely not the intent of the hacker as they would much rather send a command to validate their password or fetch data but the goal here is to prevent SQL injection.  Here are the three big steps to prevent SQL injection attacks:

Three methods to prevent SQL injection attacks with .NET

Validate your data

The first step in a SQL injection attack is to know what the developer is expecting to happen with a field and exploit it.  In reverse, the first step to prevent SQL injection attacks is to know what a hacker intends to do with a field and prevent it.  This will involve checking that your text received is the right length, scrubbing for invalid characters and make a decent attempt at stripping out dangerous SQL commands or throwing back errors if you find anything.

Use SQL Stored Procedures

Stored procedures are the next great .NET tool, because a parameter passed through a stored procedure command is sent as literal text as opposed to executed with a command.  While converting your commands to a stored procedure does not prevent SQL injection attacks it does give you an additional security layer in case the injection makes it through and is targeting specific commands.

Use Parameters with Dynamic SQL

Another way to prevent SQL injection attacks is to embed your input from forms as parameters as opposed to injecting them directly into the statement.  This can be done simply by using an @ sign as a parameter in your statement and appending a parameter to your command object.  This looks something like this:

SqlDataAdapter saoSqlAdapter = new SqlDataAdapter(
         "SELECT UserName, UserId, Password FROM Users WHERE UserName = @userName",
  myCommand.SelectCommand.Parameters.Add("@userName", SqlDbType.VarChar, 50);
  myCommand.SelectCommand.Parameters["@userName"].Value = txtUserName.Text;

Other methods to prevent SQL injection attacks

After working these three methods you should be able to prevent SQL injection attacks from mostly all attackers, if you need more information on how to prevent SQL injection attacks check out how to prevent sql injection attacks on MSN.

XAF Security System & Roles

The standard security system in XAF does not support anonymous content out of the box. Everyone is a registered user and requires registration straight out of the gate. We have been working on products lately that require a more user friendly approach to web logins.

One of the ways we came up with was creating using a multi-tier security system concept. This has multiple user objects allowing for a single base user to define standard access, and users on top of it to dictate how the specific application is working.

To use this concept, we replaced the security system with a few lines of code:

Security Class:

Public Class AnonymousSecuritySystem
    Inherits DevExpress.ExpressApp.Security.AuthenticationActiveDirectory

    Protected Overrides Function GetUserName() As String
        Return "Anonymous"
    End Function
End Class

After replacing the security system, we created a controller which allows a user to login based on another tier object.

Public Class LoginController
    Inherits DevExpress.ExpressApp.ViewController

    Public Sub New()

        'This call is required by the Component Designer.
    End Sub

    Private Sub Login_Execute(ByVal sender As System.Object, ByVal _ 
             e As Actions.SimpleActionExecuteEventArgs) Handles Login.Execute
        Dim oWebUser As WebUser = ObjectSpace.FindObject(Of WebUser) _ 
             (CriteriaOperator.Parse("UserName = 'a'"))
        If oWebUser IsNot Nothing Then
            CType(SecuritySystem.Instance, SecurityComplex).Logon(oWebUser.BaseUser)
        End If
    End Sub
End Class

This is extended out to each application, so we can have separate win and web users, as well as keeping the option open to share the same roles between the applications.