Phil Sando

Home | Contact | Syndication

| Login

13 Posts | 0 Stories | 3 Comments | 0 Trackbacks

News

Twitter

philsando Programatically loading user controls http://goo.gl/fb/Qn92w about 731 days ago

philsando Why am I dealing with returning sqldatareader bugs in the enterprise framework 5 DAAB? Cant MS fix this shit b4 release http://bit.ly/cxSVWo about 738 days ago

philsando Fighting with config of enterprise library 5.0 DAAB. Anyone like to help? http://bit.ly/ci7mhx about 740 days ago

philsando Working on some DAL stuff across many MSSQL and Oracle DB Servers ... Joy :0) about 780 days ago

philsando got hit off my motorbike by a car and just had to take a 12km walk to work.. the joy about 800 days ago

philsando @_Jemima nice what movie are u in ? about 804 days ago

philsando Having problems getting values from dynamically created web controls, assist here: http://bit.ly/cWgqnJ Thanks! #dotnet #stackoverflow about 830 days ago

philsando is trying to find a way to loop through dynamically created web controls, inputting their values into an mssql database #dotnet #in about 830 days ago

philsando is trying to find a way to loop through dynamically created web controls, inputting their values into an mssql database #dotnet about 830 days ago

philsando Coding my brains out, is it wednesday already? http://bit.ly/9sRvup #asp.net about 837 days ago

Image Galleries

Pics

Stopping SQL Injection Attacks

make sure all queries are parameterised like this:

sql = ("select * from contacts where contactid = @id")
Dim cmd As SqlCommand = New SqlCommand(sql, conn)
cmd.Parameters.Add("@id", SqlDbType.VarChar)
cmd.Parameters("@id").Value = id

I also include a usercontrol which checks the querystring for bad terms:

The list is long but this snippet should give you the gist of it:

Dim querystringvar As String = Request.QueryString.ToString
If InStr(querystringvar, "drop") Then
Response.Redirect("/errors/504.aspx)
ElseIf InStr(querystringvar, "select") Then
Response.Redirect("/errors/504.aspx)

Share This Post:
Short Url: http://wblo.gs/Zor

posted on Friday, January 29, 2010 12:39 PM

Feedback

# re: Stopping SQL Injection Attacks (my best efforts, comments pls) 1/29/2010 6:05 PM Sanjay Uttam

I think you're fine just doing the built in parametrization or using stored procs [without dynamic sql]. BTW, I hope you aren't taking the error querystring parameter and displaying it on the 504.aspx page....(of HTML encoding it, if you are)