-
July 24th, 2006, 06:59 PM
#1
Anti-SqlInjection tips
hello,
I have a web project and need take very big security things in the website, can says me any tips for anti sqlinjection or cross site injection?
my project use ASP.NET 2.0 this maybe use a DMZ but I want to speak with my boss for to use a private hosting for this.
I am a little afraid for the project security.
cheers,
AarzaK
-
July 24th, 2006, 07:57 PM
#2
Google does the trick - there are a few pages mentioned there which should help you
OWASP should also be quite useful.
Cheers,
-jk
-
July 24th, 2006, 08:02 PM
#3
-
July 24th, 2006, 09:51 PM
#4
Parameterized Stored Procedures
You can greatly reduce the threat of SQL Injection in the case of the logon screen and in the case of missed threats during your input scrubbing by not creating the SQL statement in ASP and passing the user inputs as parameters to a stored procedure.
There are two rules for success in life:
Rule 1: Don't tell people everything you know.
-
July 27th, 2006, 11:23 AM
#5
Using parameterised queries is definitely the right way to do this.
Using MSSQL and ADO.NET you can quite easily run queries with parameters supplied outside the SQL query - by using placeholders instead.
These placeholders are not substituted with their contents until after the SQL is interpreted, making it safe from SQL injection.
You do NOT, contrary to popular belief, actually need to use stored procedures to use parameterised queries. Nor does using SPs without named parameters protect you from SQL injection.
So the stored procedures have no security benefit against SQL injection (although of course, depending on the application design, the might have other security benefits).
---
The only problem with using parameterised queries is that there are occasionally cases where it's not possible to use them:
- When you want a variable number of parameters (e.g. with an IN clause)
- When building a query with a dynamically created JOIN, for instance, joining N copies of the same table.
But in almost every other case, they work fine.
Mark
-
July 31st, 2006, 03:49 AM
#6
this is very big problem, hope can solve this problem.
thanks again.
AarzaK
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|