There has been a large stir recently with how to prevent SQL injection attacks with .NET. Huge rumors are flying about viruses because of the nuclear incident that happened in Iran. Just to be clear, regardless of how secure any site is there is a likelihood that you can be hacked. The best we can do is prevent as much as possible so that it takes someone who is really good to do it. At that point you are dealing with a security expert and likely they will just want you to pay them for the information. Back on to the subject, to solve our security problem we must first ask ourselves, what is a SQL injection? SQL injections are a trick that hackers use to execute malicious SQL scripts on your server.
Our main goal is not to take away functionality, but to prevent SQL injection attacks
Let’s say you have a login form, and you ask for a username and password. You have a text box bound to both fields and when they hit a Login button your form code selects from the user table where user name is equal to the User text box. The SQL might look something like this:
SELECT UserId, UserName,Password FROM Users WHERE UserName = '" + txtUserName.Text + "'
'; DROP DATABASE myWebApp --
When your code executes it will send a drop database command to your server destroying all of your data. This is likely not the intent of the hacker as they would much rather send a command to validate their password or fetch data but the goal here is to prevent SQL injection. Here are the three big steps to prevent SQL injection attacks:
Three methods to prevent SQL injection attacks with .NET
Validate your data
The first step in a SQL injection attack is to know what the developer is expecting to happen with a field and exploit it. In reverse, the first step to prevent SQL injection attacks is to know what a hacker intends to do with a field and prevent it. This will involve checking that your text received is the right length, scrubbing for invalid characters and make a decent attempt at stripping out dangerous SQL commands or throwing back errors if you find anything.
Use SQL Stored Procedures
Stored procedures are the next great .NET tool, because a parameter passed through a stored procedure command is sent as literal text as opposed to executed with a command. While converting your commands to a stored procedure does not prevent SQL injection attacks it does give you an additional security layer in case the injection makes it through and is targeting specific commands.
Use Parameters with Dynamic SQL
Another way to prevent SQL injection attacks is to embed your input from forms as parameters as opposed to injecting them directly into the statement. This can be done simply by using an @ sign as a parameter in your statement and appending a parameter to your command object. This looks something like this:
SqlDataAdapter saoSqlAdapter = new SqlDataAdapter( "SELECT UserName, UserId, Password FROM Users WHERE UserName = @userName", connection); myCommand.SelectCommand.Parameters.Add("@userName", SqlDbType.VarChar, 50); myCommand.SelectCommand.Parameters["@userName"].Value = txtUserName.Text; myDataAdapter.Fill(userDataset);
Other methods to prevent SQL injection attacks
After working these three methods you should be able to prevent SQL injection attacks from mostly all attackers, if you need more information on how to prevent SQL injection attacks check out how to prevent sql injection attacks on MSN.