0

How can I test my page that uses that uses Request.QueryString.Get("ID") against SQL Injections. I have tried a few basic things like www.myDomain/mySite.aspx?ID=1234' and www.myDomain/mySite.aspx?ID=1234', neither of which causes anything unexpected. I'm looking for a definitive way to test for vulnerabilities though. According to this post it looks like I have implemented the correct mechanisms to prevent injection. Besides online articles I do not have practical experience testing this.

I am using 2 defense mechanisms which seem to be fairly common

1.) I have a sanitize function which removes single apostrophes and '&' and does some formatting stuff to the query string before it is ever added the the SQL Command.

2.) I am also using parameterized statements so the Query String becomes a parameter for the command that is executed. I understand this make the whole process more secure because the query structure is already defined.

Community
  • 1
  • 1
HopAlongPolly
  • 1,347
  • 1
  • 20
  • 48
  • There is no need to do #1 if you do #2. It's *very* hard to write a perfectly effective implementation of #1 (a sanitation function that's infallible). It's also very hard to maintain over time, and won't ever be platform independent. (Unlike #2.) – Servy Aug 08 '13 at 18:34
  • Parameterized statements already take care of that and escape the input if necessary. This may cause a query to fail (i.e. searching for `1245'` in a number row may result nothing), but you should be save from SQL injections. Everything else should be handled by your code (i.e. never assume that a query **always** returns data and handle cases where no data is returned by a message to the user like "No results found") – Tseng Aug 08 '13 at 18:58
  • Thanks guys. I added the parameterized statement for better security. The sanitize function was what had been in place prior to my changes but I'll go ahead and remove it now. – HopAlongPolly Aug 08 '13 at 20:10

1 Answers1

3

Your second point should be more than enough. No matter how the QueryString is passed, you are not vulnerable to SQL injection attacks. Unless, your SQL statements are actually stored procedures that build the query dynamically via string concatenation. In that case, you may be back to square one.

Icarus
  • 63,293
  • 14
  • 100
  • 115