Anti-SqlInjection tips
Results 1 to 6 of 6

Thread: Anti-SqlInjection tips

  1. #1
    Junior Member AarzaK's Avatar
    Join Date
    Jul 2006
    Location
    Venezuela
    Posts
    29

    Question Anti-SqlInjection tips

    hello,


    I have a web project and need take very big security things in the website, can says me any tips for anti sqlinjection or cross site injection?


    my project use ASP.NET 2.0 this maybe use a DMZ but I want to speak with my boss for to use a private hosting for this.


    I am a little afraid for the project security.


    cheers,

    AarzaK
    I Was Sent...
    aarzak_@hotmail.com
    http://aarzak.fadlan.com
    http://www.iitac.org

    Alyssa: Aarzak! Save the world!
    Aarzak: I am the only one who can save this world!
    The Last Battle - Sega(c) Games 1989

  2. #2
    The Prancing Pirate
    Join Date
    Jul 2004
    Posts
    548
    Google does the trick - there are a few pages mentioned there which should help you

    OWASP should also be quite useful.

    Cheers,

    -jk
    TAZForum <---- click

  3. #3
    Junior Member AarzaK's Avatar
    Join Date
    Jul 2006
    Location
    Venezuela
    Posts
    29
    thank you.
    I Was Sent...
    aarzak_@hotmail.com
    http://aarzak.fadlan.com
    http://www.iitac.org

    Alyssa: Aarzak! Save the world!
    Aarzak: I am the only one who can save this world!
    The Last Battle - Sega(c) Games 1989

  4. #4
    Senior Member Opus00's Avatar
    Join Date
    May 2005
    Posts
    143
    Parameterized Stored Procedures

    You can greatly reduce the threat of SQL Injection in the case of the logon screen and in the case of missed threats during your input scrubbing by not creating the SQL statement in ASP and passing the user inputs as parameters to a stored procedure.
    There are two rules for success in life:
    Rule 1: Don't tell people everything you know.

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Using parameterised queries is definitely the right way to do this.

    Using MSSQL and ADO.NET you can quite easily run queries with parameters supplied outside the SQL query - by using placeholders instead.

    These placeholders are not substituted with their contents until after the SQL is interpreted, making it safe from SQL injection.

    You do NOT, contrary to popular belief, actually need to use stored procedures to use parameterised queries. Nor does using SPs without named parameters protect you from SQL injection.

    So the stored procedures have no security benefit against SQL injection (although of course, depending on the application design, the might have other security benefits).

    ---

    The only problem with using parameterised queries is that there are occasionally cases where it's not possible to use them:

    - When you want a variable number of parameters (e.g. with an IN clause)
    - When building a query with a dynamically created JOIN, for instance, joining N copies of the same table.

    But in almost every other case, they work fine.

    Mark

  6. #6
    Junior Member AarzaK's Avatar
    Join Date
    Jul 2006
    Location
    Venezuela
    Posts
    29
    this is very big problem, hope can solve this problem.

    thanks again.


    AarzaK
    I Was Sent...
    aarzak_@hotmail.com
    http://aarzak.fadlan.com
    http://www.iitac.org

    Alyssa: Aarzak! Save the world!
    Aarzak: I am the only one who can save this world!
    The Last Battle - Sega(c) Games 1989

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •