Prevent SQL Injection[Answered] RSS

• • Reply
  maverick786u...

  Member

  68 Points

  228 Posts

  Prevent SQL Injection

  Jan 28, 2021 08:15 AM|maverick786us|LINK

  I have this simple query executed in custom control.

  SELECT StateID, StateName FROM State WHERE IsEnabled = 'TRUE' ORDER BY StateName

  How can I prevent SQL Injection form this code?

• • Reply
  Mikesdotnett...

  All-Star

  194885 Points

  28105 Posts

  Moderator

  Re: Prevent SQL Injection

  Jan 28, 2021 08:29 AM|Mikesdotnetting|LINK

  That code is not susceptible to SQL injection. SQL injection is only possible if you incorporate untrusted input as part of the SQL statement e.g.:

  SELECT StateID, StateName FROM State WHERE IsEnabled = " + Request.Query["some_value"] + "' ORDER BY StateName

  Usually, this input comes from form fields and URLs. You use parameterized queries to prevent SQL injection: https://www.mikesdotnetting.com/article/113/preventing-sql-injection-in-asp-net

  ASP.NET Tutorials | Learn Entity Framework Core | Learn Razor Pages | Learn Dapper
• • Reply
  maverick786u...

  Member

  68 Points

  228 Posts

  Re: Prevent SQL Injection

  Jan 28, 2021 12:00 PM|maverick786us|LINK

  Thank you Mike

• • Reply
  wefocusoncar...

  Member

  10 Points

  5 Posts

  Re: Prevent SQL Injection

  Feb 04, 2021 11:23 AM|wefocusoncare|LINK

  Always follow below rules to prevent sql injection

  • Use parameterized queries (SqlCommand with SqlParameter) and put user input into parameters.
  • Don't build SQL strings out of unchecked user input.
  • Don't assume you can build a sanitizing routine that can check user input for every kind of malformedness. Edge cases are easily forgotten. Checking numeric input may be simple enough to get you on the safe side, but for string input just use parameters.
  • Check for second-level vulnerabilites - don't build SQL query strings out of SQL table values if these values consist of user input.
  • Use stored procedures to encapsulate database operations.