SQL Injection attack prevention: where do I start

Question

I'm looking to make my site secure against SQL injection attacks. Does anyone have any good links to make the site secure against these types of attacks in an ASP.NET site (c#, web forms)?

EDIT:

I should point out at I am using the Entity Framework

Answer 1

The first and best line of defense is to not use dynamic SQL.

Always use parameterized queries.

Take a look at the OWASP page about SQL Injection.

Answer 2

See these resources:

• How To: Protect From SQL Injection in ASP.NET (MSDN)

• Data Security: Stop SQL Injection Attacks Before They Stop You

• SQL Injection Attacks and Some Tips on How to Prevent Them

• Preventing SQL Injection in ASP.NET

Basically, as Oded already pointed out, it boils down to stop concatenating together your SQL statements - especially if that involves data entered by user's into textboxes - and use parametrized queries in ADO.NET.

Answer 3

Have a look here:

Bobby Tables: A guide to preventing SQL injection

Answer 4

This is a great series that covers the top 10 security threats to web applications and how to mitigate them using ASP.net: http://www.troyhunt.com/2010/05/owasp-top-10-for-net-developers-part-1.html

Answer 5

It's easy. Most injection vulns come from code that looks like this:

var myQuery="SELECT something FROM somewhere WHERE somefield="+userSuppliedData;
//execute myQuery against db
//now suppose userSuppliedData=="'';DROP TABLE somewhere;"

If you're hand rolling sql statements like this, you're at risk. Consider using an ORM or parameterized queries.

Answer 6

Use stored procedures with parameters and avoid inline SQL whenever possible...

Answer 7

get data through parameters like:

string str = "insert into CustomerHistoryDD(logo,ceoPicture,ceoProfilePicture,coverPhoto,employee1,employee2,employee3,employee4) values(@param1,@param2,@param3,@param4,@param5,@param6,@param7,@param8)";
        SqlCommand cmd = new SqlCommand(str, con);
        con.Open();
        cmd.Parameters.AddWithValue("@param1", link);
        cmd.Parameters.AddWithValue("@param2", link1);
        cmd.Parameters.AddWithValue("@param3", link2);
        cmd.Parameters.AddWithValue("@param4", link3);
        cmd.Parameters.AddWithValue("@param5", tb_Emp1.Text);
        cmd.Parameters.AddWithValue("@param6", tb_Emp2.Text);
        cmd.Parameters.AddWithValue("@param7", tb_Emp3.Text);
        cmd.Parameters.AddWithValue("@param8", tb_Emp4.Text);
        cmd.ExecuteNonQuery();
        con.Close();
        lbl_msg.Text = "Data Saved Successfully";