Hi I was wondering if anyone knew of some good websites detailing prevention for SQL injection for .NET web applications. Any resources would be greatly appricated, thank you.
I think that, if you google a bit on 'preventing sql injection in .NET', you'll find lots of good resources. :)
Anyway, one very important thing, is to not use string-concatenation in order to build your queries. Instead, use parametrized queries. ADO.NET allows to do this, in a very easy way:
string sql = "SELECT * FROM Persons WHERE Persons.Lastname LIKE @p_Name";
SqlCommand cmd = new SqlCommand (sql);
cmd.Parameters.Add ("@p_Name", SqlDbType.Varchar).Value = textBox1.Text + "%";
If you use the SqlCommand.Parameters collection to pass parameters and never inject user text into you Sql query text, there's no risk.
- golden rule: never concatenate user input
- if you write your own command strings in .NET, use the Parameters collection
- if you use LINQ, it will usually do it for you
- if you write commands in TSQL, use sp_executesql or your vendor's equivalent
the first thing to know is to parameterize your queries or use stored procs....
Never use ad-hoc sql in code where you just append the value
give only read and write permissions (or only read for those pages that should not write)
The MSDN Magazine article Stop SQL Injection Attacks Before They Stop You seems to be fairly complete.
While containing less detailed information about your specific question, SDL Embraces The Web is a good source of other things you should be thinking about in addition to preventing SQL injection attacks.
The usual disclaimers apply, I don't necessarily agree with all of the information presented in those articles, but the information presented will hopefully get you thinking about ways SQL injection (and other) attacks can be mitigated on a public website.
来源:https://stackoverflow.com/questions/541620/sql-injection-in-net