1

I have a problem with text boxes.

  1. When a user writes something in a text box, it will save it but sql query or bad text or some thing automatically injected into the database, I didn't know what is happening to it; it saves false data in the database.

  2. I am thinking that sql was automatically injected by the format of text.

Can anyone provide me with a solution for this?

I can't restrict my text box for special characters, this is why I am facing so many problems.

jessehouwing
  • 106,458
  • 22
  • 256
  • 341
Syed Ali
  • 279
  • 1
  • 4
  • 15

2 Answers2

3

If you can't filter the Textbox, you have to filter the data in the Postback .

  • Use Server.HtmlEncode(your text here) to Escape characters normally used for SQL Injection :

string userInput = @"' or 1=1; -- ";

string encodedString = Server.HtmlEncode(userInput);

the result will be :

' or 1=1; -- <html>
  • Use Regex to replace invalid characters with space or anything to indicate that the characters was replaced (use *) :
Regex myRegex = new Regex("[\\\'\\\"\\<\\>=]", RegexOptions.Compiled | RegexOptions.IgnoreCase);
string userInput = @"' or 1=1; -- <html>";
string encodedString = myRegex.Replace(userInput, "");

the result will be :

or 11; -- html

  • Use parameters in your SQL queries and validate the values before add the

using (SqlConnection cn = new SqlConnection("Your Connection string here")) {

            using (SqlCommand cmd = new SqlCommand())
            {
                cmd.Connection = cn;
                cmd.CommandType = CommandType.Text;
                cmd.CommandText = "Select * From [User] Where (UserName = @UserName AND Password = @Password)";
                cmd.Parameters.Add("@UserName", SqlDbType.NVarChar).Value = Server.HtmlEncode(txtUserName.Text);
                cmd.Parameters.Add("@Password", SqlDbType.NVarChar).Value = Server.HtmlEncode(txtPassword.Text);
                cn.Open();
                IDataReader reader = cmd.ExecuteReader();
                if (reader.Read())
                {
                    // Your code here
                }
            }
        }
  • There is custom controls ready to use with options to control what the user can enter in specified text box .
  • Last advice in Web programming you have to double check (1- Client side using JavaScript) and (2- Server side using your own rules of doubts and concerns).
khaled
  • 216
  • 1
  • 2
  • 8
0

Possible solutions:

  1. Encrypt sensitive data.

  2. Access the database using an account with the least privileges necessary.

  3. Install the database using an account with the least privileges necessary.

  4. Ensure that data is valid.

  5. Do a code review to check for the possibility of second-order attacks.

  6. Use parameterised queries.

  7. Use stored procedures.

  8. Re-validate data in stored procedures.

  9. Ensure that error messages give nothing away about the internal architecture of the application or the database.

For details see a ref:Injection-Attacks-and-Some-Tips-on-How-to-Prev

4b0
  • 21,981
  • 30
  • 95
  • 142