Sign In
Create Account
Follow Us on Twitter
Subscribe on Youtube
3
We use a PDO or a MySQLi in PHP. What can I use in ASP.NET to protect web page?...
2 replies to this topic
Back to top|
|
|
#2
Posted 30 March 2011 - 10:29 PM
Alexander
-
- Moderators
-
- 4,118 posts
It's Science!
- Location:Vancouver, Eh! Cleverness: 200
It would essentially be the same for any language, you would need to confine that data in the query and prevent it from doing what it is not supposed to do.
MSDN has an article about using dynamic SQL and stored procedures (equivalent to PDO or MySQLi's prepared procedures and statements)
http://msdn.microsof...ght000002_step2
http://msdn.microsof...ght000002_step3
An example of this functionality:
MSDN has an article about using dynamic SQL and stored procedures (equivalent to PDO or MySQLi's prepared procedures and statements)
http://msdn.microsof...ght000002_step2
http://msdn.microsof...ght000002_step3
An example of this functionality:
using System.Data;
using System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection(connectionString))
{
DataSet userDataset = new DataSet();
SqlDataAdapter myDataAdapter = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",
connection);
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myDataAdapter.Fill(userDataset);
}Notice how the user input value SSN.Text is safely handled to its placeholder @au_id.
Be sure to read the updated FAQ! || Health is achieved through the same 10,000 steps.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
If a suggested code/method fails, informing us is less important than telling us why or what errors occurred.
#3
Posted 03 April 2011 - 10:48 AM
Mark Wylde
-
- Members
-
- 46 posts
Learning Programmer
I'm not sure what database system your using but it's a lot safer/ideal if you can use stored procedures in your script. I've used them in MSSQL and Oracle and it leaves less risk for SQL injection as you are not putting user inputted fields into a query string, like:
But instead something like
You should see if you can use that.
If not, and you have to use inline queries then I would make sure you format your SQL lines very carefully. Create a function (I call mine dbEscape) and run it like:
The function should look something like:
Now the user can't escape the field parameter by using a colon. You'll still have to be very careful that you use the correct ' or " in your query and don't get them muddled up. Also I'm sure there are other characters you will want to escape if you do a little research into it.
strSQL = "fieldname = '" & iVariable * "'
But instead something like
dbCommand.Parameters.Add("@ID", SqlDbType.Int, 4)
You should see if you can use that.
If not, and you have to use inline queries then I would make sure you format your SQL lines very carefully. Create a function (I call mine dbEscape) and run it like:
strSQL = "SELECT testField FROM testTable WHERE testID = '" & dbEscape("Mark's Field") & "'"
The function should look something like:
Public Function dbEscape (strText)
strText = replace(strText, "'","''")
dbEscape = strText
End Function
Now the user can't escape the field parameter by using a colon. You'll still have to be very careful that you use the correct ' or " in your query and don't get them muddled up. Also I'm sure there are other characters you will want to escape if you do a little research into it.
1 user(s) are reading this topic
0 members, 1 guests, 0 anonymous users
