Is there a method (specially using ASP.net tools) to avoid sql injection other than parameterized queries?
Asked
Active
Viewed 149 times
0
-
1what's wrong with parameterized queries? – Mitch Wheat Feb 04 '13 at 02:42
-
Look at using an ORM I suppose... But even those will just do it for you... – sgeddes Feb 04 '13 at 02:43
-
There is a dll antixssLibrary available you should be using that – शेखर Feb 04 '13 at 04:44
-
here is a link http://stackoverflow.com/questions/2022289/why-use-microsoft-antixss-library – शेखर Feb 04 '13 at 04:46
-
@krshekhar, that´s what I was looking for, an ASP.net tool, in this case the Anti XSS Library, to filter my user inputs. Although it seems to be pretty useful for more than just SQL queries. – Omareo Feb 09 '13 at 06:20
2 Answers
0
one of the simplest method is what I call sanitization. Just Replace( vsInputString, "'", "''") while constructing the SQL statement:
Dim vsSQLStatement = "SELECT * FROM table01 WHERE myField = '" & Replace(vsFormTextInput, "'", "''" ) & "';"
will also help stop SQL injection.
jlee88my
- 2,935
- 21
- 28
0
Yes, of course. Other than parameterized queries, you should also consider these:
- Using stored procedures
- Using a limited access account to connect to the database (not admin level)
- Encrypt the ConnectionString and other sensitive data
- Set debug=false (in customError) to minimize the information in the event of error
I hope it helps you.
Harold Javier
- 887
- 2
- 7
- 16