prevent the sql injection in ASP .NET

Question

I'm a new in the world of coding,

I built a large web site with several textboxes, so now i figure out that I've been using a dangerous method of inserting data in the SQL server by some thing like this:

execSQL("insert into Dossier(ID_Dossier,Nom_Giac) values(" & id_dossier.text & "," Nom_gaic.text & "')")

 Public Function execSQL(ByVal req As String, Optional ByVal type As String = "r")
        cmd = New SqlCommand
        cmd.CommandText = req
        cmd.Connection = con
        openCon()
        If type = "r" Then
            Return cmd.ExecuteReader(CommandBehavior.CloseConnection)
        Else
            Return cmd.ExecuteNonQuery
        End If
        closeCon()
    End Function  

I just want to know if there is any quick way to solve this problem in my entire web site.

Answer 1

I applaud the fact that you want to remove any possibilities of SQL injection from your site.

That said, there's no quick, magical "find-and-replace-my-vulnerable-code" function; you need to go into your system and update any calls like that with parameterized queries.

Answer 2

Parameterized queries are required to prevent SQL injection. Here's an example, taken from this question: How do I create a parameterized SQL query? Why Should I?

Public Function GetBarFooByBaz(ByVal Baz As String) As String
    Dim sql As String = "SELECT foo FROM bar WHERE baz= @Baz"

    Using cn As New SqlConnection("Your connection string here"), _
        cmd As New SqlCommand(sql, cn)

        cmd.Parameters.Add("@Baz", SqlDbTypes.VarChar, 50).Value = Baz
        Return cmd.ExecuteScalar().ToString()
    End Using
End Function

Answer 3

Using LINQ to SQL can help prevent SQL Injection attacks by parameterizing for you:

LINQ to SQL passes all data to the database via SQL parameters. So, although the SQL query is composed dynamically, the values are substitued server side through parameters safeguarding against the most common cause of SQL injection attacks.

Read more about it here.