-1

I am using Server.HttpEncode(), and HttpDecode() in order to sanitize user form input, as well as having the server throw an exception when a "potentially dangerous" input is detected.

(Data is then saved to an MSSQL database)

Is this considered enough to stop SQL / Javascript injection and similar?

Bridge
  • 29,818
  • 9
  • 60
  • 82
Digital Lightcraft
  • 455
  • 1
  • 7
  • 31
  • You don't mention how you build up your sql strings from the user input - but please make sure you're not using string concatenation and instead used parameterised queries. If you want an overview of the whole subject of SQL Injection - please read this excellent article: http://www.sommarskog.se/dynamic_sql.html#SQL_injection – Bridge Jul 24 '12 at 09:03
  • Sorry - the data is being passed to a stored procedure. – Digital Lightcraft Jul 24 '12 at 09:29
  • And how are those stored procedures formulated? – podiluska Jul 24 '12 at 09:32

2 Answers2

1

No it doesn't prevent it at all. It is used more so to prevent XSS attacks as explained by Microsoft here. Read this Stackoverflow question for some ideas on preventing SQL injection.

Depending on the environment you are in, I would use a technology such as the Entity Framework or NHibernate which prevents SQL injection altogether, so you do not even have to worry about it.

Community
  • 1
  • 1
Gaff
  • 5,507
  • 3
  • 38
  • 49
-2

Possibly, but almost certainly not.

podiluska
  • 50,950
  • 7
  • 98
  • 104
  • 4
    sorry for the down vote, but not a particularly useful answer! – Digital Lightcraft Jul 24 '12 at 09:28
  • @DarkcatStudios Based on the information you provided, that was the answer. You'd obviously prefer the answer to be "Yes, absolutely. Go ahead and put it out there", so why bother asking? – podiluska Jul 24 '12 at 09:30