Geeks With Blogs
Phil Sando

make sure all queries are parameterised like this:

sql = ("select * from contacts where contactid = @id")
Dim cmd As SqlCommand = New SqlCommand(sql, conn)
cmd.Parameters.Add("@id", SqlDbType.VarChar)
cmd.Parameters("@id").Value = id

I also include a usercontrol which checks the querystring for bad terms:

The list is long but this snippet should give you the gist of it:

Dim querystringvar As String = Request.QueryString.ToString
If InStr(querystringvar, "drop") Then
ElseIf InStr(querystringvar, "select") Then


Posted on Friday, January 29, 2010 12:39 PM | Back to top

Comments on this post: Stopping SQL Injection Attacks

# re: Stopping SQL Injection Attacks (my best efforts, comments pls)
Requesting Gravatar...
I think you're fine just doing the built in parametrization or using stored procs [without dynamic sql]. BTW, I hope you aren't taking the error querystring parameter and displaying it on the 504.aspx page....(of HTML encoding it, if you are)
Left by Sanjay Uttam on Jan 29, 2010 6:05 PM

Your comment:
 (will show your gravatar)

Copyright © PhilSando | Powered by: