the post is so valuable , that I made a small modification for these reasons :
1- the http module and practically this check will be executed in each request which actually is expensive so just as to make it more concise we will use it to secure the paramaters that will be passed to dynamic SQL query before executing the query.
2- the blackList array contains actually the harmful words like "delete" but the problem is if you are passing an XML document as a parameter that have a tag called <deletedDate> or <deletedPath> , the function will consider it an SQL Injection ,while it
is not , so the best way it to add space after each word , actually the attacker need to add space after the harmful word to write the SQL injection query , so we will just add a space , actually you will need to modify this based on your application , so
if you have a textarea for a note field in your database , and your user is writing : " and we go to the office to delete some papers" , it will raise again sql injection while it is not so if you are in this scenario you will need to make it more intelligent
.
3- using IndexOf is nice , for the comparison , you can check these 2 threads if you wish to understand more.
Thanks for sschack for this valuable post , this is just a small comment and modification all credits goes for sschack .
I wish if we could write a comprehensive Security Access Layer on CodePlex that cover most of security issues in ASP.NET and also to be easily integrated and used in any ASP.NET website or any web layer.
securitysql injectionasp.net Security
Please mark this post as "Answer" and earn a point.
Haitham Khed...
Participant
1232 Points
219 Posts
Coding techniques for protecting against Sql injection
Jun 07, 2010 05:22 PM|LINK
I found this thread very valuable but it locked so I couldn't reply to just add some comments.
http://forums.asp.net/t/1254125.aspx
the post is so valuable , that I made a small modification for these reasons :
1- the http module and practically this check will be executed in each request which actually is expensive so just as to make it more concise we will use it to secure the paramaters that will be passed to dynamic SQL query before executing the query.
2- the blackList array contains actually the harmful words like "delete" but the problem is if you are passing an XML document as a parameter that have a tag called <deletedDate> or <deletedPath> , the function will consider it an SQL Injection ,while it is not , so the best way it to add space after each word , actually the attacker need to add space after the harmful word to write the SQL injection query , so we will just add a space , actually you will need to modify this based on your application , so if you have a textarea for a note field in your database , and your user is writing : " and we go to the office to delete some papers" , it will raise again sql injection while it is not so if you are in this scenario you will need to make it more intelligent .
3- using IndexOf is nice , for the comparison , you can check these 2 threads if you wish to understand more.
Which is faster String.Contains or IndexOf
http://stackoverflow.com/questions/498686/net-is-string-contains-faster-than-string-indexof
which is faster , RegEx or String.Contains
http://social.msdn.microsoft.com/Forums/en/regexp/thread/30625118-0bda-4b0c-9e45-13bc5bfd19fd
so here is the final class that you can use it in your Security Access Layer.
////////////////////////////////////////////////////////////////////////////////////////////////
<div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">using System;</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">using System.Web;</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">namespace SecurityAccessLayer</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">{</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> public class SQLInjection</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> {</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> private static string[] blackList = {"--","@@",</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> "char ","nchar ","varchar ","nvarchar ",</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> "alter ","begin ","cast ","create ","cursor ","declare ","delete ","drop ","end ","exec ","execute ",</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> "fetch ","insert ","kill ","open ",</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> "select ", "sys ","sysobjects ","syscolumns ",</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> "table ","update ","1=1 "};//when you discover a new technique just add it.</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> public static void Secure(string[] userInputs)</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> {</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> for (int i = 0; i < userInputs.Length; i++)</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> {</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> for (int j = 0; j < blackList.Length; j++)</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> {</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> if ((userInputs[i].IndexOf(blackList[j], StringComparison.OrdinalIgnoreCase) >= 0))</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> {</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> //</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> //Handle the discovery of suspicious Sql characters here</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> //</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> HttpContext.Current.Response.Redirect("~/Error.aspx"); //sql injection error page on your site </div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> }</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> }</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> //safe '</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> userInputs[i] = userInputs[i].Replace("'", "''");</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> }</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> }</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> public static string Secure(string userInput)</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> {</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> for (int i = 0; i < blackList.Length; i++)</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> {</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> if ((userInput.IndexOf(blackList[i], StringComparison.OrdinalIgnoreCase) >= 0))</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> {</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> //</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> //Handle the discovery of suspicious Sql characters here</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> //</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> HttpContext.Current.Response.Redirect("~/Error.aspx"); //sql injection error page on your site </div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> }</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> }</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> //safe '</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> return userInput.Replace("'", "''");</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> }</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"></div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste"> }</div> <div style="position: absolute; left: -10000px; top: 268px; width: 1px; height: 1px; overflow-x: hidden; overflow-y: hidden;" id="_mcePaste">}</div>using System;
using System.Web;
namespace SecurityAccessLayer
{
public class SQLInjection
{
private static string[] blackList = {"--","@@",
"char ","nchar ","varchar ","nvarchar ",
"alter ","begin ","cast ","create ","cursor ","declare ","delete ","drop ","end ","exec ","execute ",
"fetch ","insert ","kill ","open ",
"select ", "sys ","sysobjects ","syscolumns ",
"table ","update ","1=1 "};//when you discover a new technique just add it.
public static void Secure(string[] userInputs)
{
for (int i = 0; i < userInputs.Length; i++)
{
for (int j = 0; j < blackList.Length; j++)
{
if ((userInputs[i].IndexOf(blackList[j], StringComparison.OrdinalIgnoreCase) >= 0))
{
//
//Handle the discovery of suspicious Sql characters here
//
HttpContext.Current.Response.Redirect("~/Error.aspx"); //sql injection error page on your site
}
}
//safe '
userInputs[i] = userInputs[i].Replace("'", "''");
}
}
public static string Secure(string userInput)
{
for (int i = 0; i < blackList.Length; i++)
{
if ((userInput.IndexOf(blackList[i], StringComparison.OrdinalIgnoreCase) >= 0))
{
//
//Handle the discovery of suspicious Sql characters here
//
HttpContext.Current.Response.Redirect("~/Error.aspx"); //sql injection error page on your site
}
}
//safe '
return userInput.Replace("'", "''");
}
}
}
//////////////////////////////////////////////////////////////////////////////////////////////////
Thanks for sschack for this valuable post , this is just a small comment and modification all credits goes for sschack .
I wish if we could write a comprehensive Security Access Layer on CodePlex that cover most of security issues in ASP.NET and also to be easily integrated and used in any ASP.NET website or any web layer.
security sql injection asp.net Security