0

Well, I was reading about the SQL Injection but i didn´t realize that it can happen in Visual Basic .NET -I'm using 2008- because I just read about it in PHP, my question is: How can I avoid that? because a friend made it some minutes ago and thats a problem with the security of my Desktop Application.

-Thanks-

Zhihao
  • 14,758
  • 2
  • 26
  • 36
DFabeiro
  • 25
  • 2

2 Answers2

1

This applies to all languages alike:

  1. When you can use prepared statements to access the database. Avoid building database queries by concatonating user input into a query.
  2. Validate any data that you intend to use in a database statement assiduously. If a field should be an integer, check to see if it's an integer before you even use it in the database.
  3. If some form of ORM exists it will likely do #1 and #2 (atleast to some degree on #2) for you. LINQ should take care of this for you. If you choose to use Linq use SqlParameter to build queries.
  4. Use stored procedures if possible.
  5. Beware of user input, even after it's been stored.
hsanders
  • 1,913
  • 12
  • 22
  • Thanx, but I mean there is not a fuction or something like that? like in PHP where create your code to avoid these? – DFabeiro Jul 27 '12 at 14:15
  • In PHP you shouldn't be using something like mysql_real_escape() you should be using MySQLi with parameterized queries. Similarly in VB .NET you should use LINQ with SqlParameter ( http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlparameter.aspx#Y213 ) to build your queries. – hsanders Jul 27 '12 at 14:18
1

SQL injection attacks are not language-specific. If you are accepting user input and inserting it directly into your SQL queries without sanitizing it, then your application is vulnerable to SQL injections.

Have a look at this answer for more details on how you can avoid SQL injection attacks.

The general idea you should take away from this is to never trust user input.

Community
  • 1
  • 1
Zhihao
  • 14,758
  • 2
  • 26
  • 36