Jump to content

Check out our Community Blogs

Register and join over 40,000 other developers!

Recent Status Updates

View All Updates

- - - - -

Web scurity


  • Please log in to reply
2 replies to this topic

#1 VakhoQ


    CC Addict

  • Advanced Member
  • PipPipPipPipPip
  • 126 posts

Posted 30 March 2011 - 07:46 AM

We use a PDO or a MySQLi in PHP. What can I use in ASP.NET to protect web page?...
  • 0
GNU/Linux Is the Best.

#2 Alexander



  • Moderator
  • 3963 posts
  • Location:Vancouver, Eh! Cleverness: 200
  • Programming Language:C, C++, PHP, Assembly

Posted 30 March 2011 - 10:29 PM

It would essentially be the same for any language, you would need to confine that data in the query and prevent it from doing what it is not supposed to do.

MSDN has an article about using dynamic SQL and stored procedures (equivalent to PDO or MySQLi's prepared procedures and statements)

An example of this functionality:
using System.Data;
using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString))
  DataSet userDataset = new DataSet();
  SqlDataAdapter myDataAdapter = new SqlDataAdapter(
         "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", 
  myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
  myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
Notice how the user input value SSN.Text is safely handled to its placeholder @au_id.
  • 0

All new problems require investigation, and so if errors are problems, try to learn as much as you can and report back.

#3 Mark Wylde

Mark Wylde

    CC Regular

  • Member
  • PipPipPip
  • 47 posts

Posted 03 April 2011 - 10:48 AM

I'm not sure what database system your using but it's a lot safer/ideal if you can use stored procedures in your script. I've used them in MSSQL and Oracle and it leaves less risk for SQL injection as you are not putting user inputted fields into a query string, like:
strSQL = "fieldname = '" & iVariable * "'

But instead something like
dbCommand.Parameters.Add("@ID", SqlDbType.Int, 4)

You should see if you can use that.

If not, and you have to use inline queries then I would make sure you format your SQL lines very carefully. Create a function (I call mine dbEscape) and run it like:
strSQL = "SELECT testField FROM testTable WHERE testID = '" & dbEscape("Mark's Field") & "'"

The function should look something like:
Public Function dbEscape (strText)
     strText = replace(strText, "'","''")
     dbEscape = strText
End Function

Now the user can't escape the field parameter by using a colon. You'll still have to be very careful that you use the correct ' or " in your query and don't get them muddled up. Also I'm sure there are other characters you will want to escape if you do a little research into it.
  • 0

Also tagged with one or more of these keywords: mysqli

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download