I am having SQL Injection Attack problems. Having researched the best prevention against this, the advice seems to be to use parameters in all SQL that uses user input.
How can I find out what ASP.NET Web Controls use parameters out-of-the-box: does the Login Control? The PasswordRecovery control? The CreateUserWizard?
var query = "Select * From Users Where firstName = @FirstName";
using (var conn = new SqlConnection(connect))
{
using (var cmd = new SqlCommand(query, conn))
{
cmd.Parameters.AddWithValue("@FirstName", FirstName.Text);
conn.Open();
//Process results
}
}
Marked as answer by banksidepoet on Sep 22, 2011 12:05 PM
banksidepoet
Participant
774 Points
862 Posts
Parameterised Security
Sep 21, 2011 06:41 PM|LINK
Hi.
I am having SQL Injection Attack problems. Having researched the best prevention against this, the advice seems to be to use parameters in all SQL that uses user input.
How can I find out what ASP.NET Web Controls use parameters out-of-the-box: does the Login Control? The PasswordRecovery control? The CreateUserWizard?
Thanks,
Mike
Mikesdotnett...
All-Star
154955 Points
19872 Posts
Moderator
MVP
Re: Parameterised Security
Sep 21, 2011 06:44 PM|LINK
The SqlMembershipProvider uses parameterised SQL. That means that all the methods it exposes are safe.
Beginning ASP.NET Web Pages with WebMatrix | My Site | Twitter
banksidepoet
Participant
774 Points
862 Posts
Re: Parameterised Security
Sep 21, 2011 06:47 PM|LINK
Understood. Thank you. I can get on with the custom parts, then.
banksidepoet
Participant
774 Points
862 Posts
Re: Parameterised Security
Sep 22, 2011 11:00 AM|LINK
Thank you for your response of yesterday.
I have, today, been reading an article of yours which contains the following code:
protected void Page_Load(object sender, EventArgs e) { var connect = ConfigurationManager.ConnectionStrings["NorthWind"].ToString(); var query = "Select * From Products Where ProductID = @ProductID"; using (var conn = new SqlConnection(connect)) { using (var cmd = new SqlCommand(query, conn)) { cmd.Parameters.Add("@ProductID", SqlDbType.Int); cmd.Parameters["@ProductID"].Value = Convert.ToInt32(Request["ProductID"]); conn.Open(); //Process results } } }Obviously, the "input" to the database is ["ProductID"]
My "input" is simply the contents of a textbox (let's call it "FirstName") in a form.
Could you provide the line again, using my scenario, please.? Is it just Convert.ToString(FirstName.Text);
Thank you,
Mike
hans_v
All-Star
35986 Points
6550 Posts
Re: Parameterised Security
Sep 22, 2011 11:04 AM|LINK
var query = "Select * From Users Where firstName = @FirstName"; using (var conn = new SqlConnection(connect)) { using (var cmd = new SqlCommand(query, conn)) { cmd.Parameters.AddWithValue("@FirstName", FirstName.Text); conn.Open(); //Process results } }banksidepoet
Participant
774 Points
862 Posts
Re: Parameterised Security
Sep 22, 2011 12:05 PM|LINK
Thank you.
banksidepoet
Participant
774 Points
862 Posts
Re: Parameterised Security
Sep 22, 2011 12:07 PM|LINK
The SqlMembershipProvider is all parameterised. Good.
What about an everyday DetailsView and GridView? And what if I convert fields in these to TemplateFields?
hans_v
All-Star
35986 Points
6550 Posts
Re: Parameterised Security
Sep 22, 2011 02:29 PM|LINK
I think you mean the datasource you can attach to these datacontrols? They are parameterised as well....
banksidepoet
Participant
774 Points
862 Posts
Re: Parameterised Security
Sep 22, 2011 03:11 PM|LINK
Yes, I do.
That's good, thanks.