Anti-SqlInjection tips

[AarzaK]

hello,


I have a web project and need take very big security things in the website, can says me any tips for anti sqlinjection or cross site injection?


my project use ASP.NET 2.0 this maybe use a DMZ but I want to speak with my boss for to use a private hosting for this.


I am a little afraid for the project security.


cheers,

AarzaK

[J_K9]

Google does the trick - there are a few pages mentioned there which should help you

OWASP should also be quite useful.

Cheers,

-jk

[AarzaK]

thank you.

[Opus00]

Parameterized Stored Procedures

You can greatly reduce the threat of SQL Injection in the case of the logon screen and in the case of missed threats during your input scrubbing by not creating the SQL statement in ASP and passing the user inputs as parameters to a stored procedure.

[slarty]

Using parameterised queries is definitely the right way to do this.

Using MSSQL and ADO.NET you can quite easily run queries with parameters supplied outside the SQL query - by using placeholders instead.

These placeholders are not substituted with their contents until after the SQL is interpreted, making it safe from SQL injection.

You do NOT, contrary to popular belief, actually need to use stored procedures to use parameterised queries. Nor does using SPs without named parameters protect you from SQL injection.

So the stored procedures have no security benefit against SQL injection (although of course, depending on the application design, the might have other security benefits).

---

The only problem with using parameterised queries is that there are occasionally cases where it's not possible to use them:

- When you want a variable number of parameters (e.g. with an IN clause)
- When building a query with a dynamically created JOIN, for instance, joining N copies of the same table.

But in almost every other case, they work fine.

Mark

[AarzaK]

this is very big problem, hope can solve this problem.

thanks again.


AarzaK