What exactly is going on in the background that makes it so SQLParameter prevents SQL Inection attacks in a .NET Parameterized query? Is it just stripping out any suspect c
When using parameterized queries, the attack surface is reduced to monkeying around with the parameters.
Do use SqlParameters
, but don't forget about overflow, underflow and unvalidated parameters. For example, if the method is "proc buy_book (@price money
)", a malicious attacker would attempt to trick the application to running with @price
set to 0.01
, or attempting to get the application to do something interesting by submitting something that causes an overflow. Sql Overflows tend not to be interesting (i.e. they just cause exceptions, you are unlikely to be able to write to adjacent memory)