-3

I have 15 applications (some of them are developed in ASP.NET and some of them are developed in ASP.NET MVC) and are running under IIS 7.5. These applications strongly depend on 3rd party services to process business logic.

Recently 3rd party services added firewall at their end to filter from vulnerabilities(SQL injections, XSS-Cross-site scripting, CSRF.. etc). If they receive any request with these vulnerabilities then they are blocking at their firewall.

We have already handled XSS and CSRF vulnerabilities. But now we need to handle/filter SQL injections also. I know it not a good idea to filter/detect SQL injections for user inputs using RegEx but I don't have any option at the moment.. :(

Can anyone advise me what is the best way to detect SQL injections for all incoming requests? so that I can add it in global filter at entry level and check for SQL injections.

Before I post this question, I have gone through too many discussion in online. some of them are:

Detect SQL Injection

RegEx to Detect SQL Injection

http://www.ijeebs.com/upload/pdf/Y4bQfWGA.pdf

Thank you

UPDATE

I know its a duplicate that's why I have mentioned previous question links in my question above.

I am not worried about my database calls in my application since all are handled with entity framework. The only worry is 3rd part API calls.

Venkata Pujarla
  • 1
  • 1
  • 5
  • Do you not have access to the SQL calls themselves? The only way to 100% prevent it is to go to the source (i.e the SQL queries) – maccettura Feb 07 '18 at 20:35
  • 3
    If there were a reliable way of detecting injection, it would have been implemented in database engines long ago. –  Feb 07 '18 at 20:37
  • How is this question not a duplicate of the first question you linked to? –  Feb 07 '18 at 20:38
  • That looks like a weird situation. Why can't you use parameters to avoid SQL injection completely? And if you really can't use them (you defenitely should), then why don't you just send the request and see if it fails at the firewall. Why do you replicate the firewall logic? – Sefe Feb 07 '18 at 20:38
  • If it were so simple to avoid such attacks, it wouldn´t be so harmful, will it? Having said this your question is by far too broad. – MakePeaceGreatAgain Feb 07 '18 at 20:43
  • Here one thing I want to clarify, We use SQL calls in our applications and all of them are implemented with Entity Framework and don't have any issue with SQL injections. But I have a problem with 3rd party API/Service calls which are making from applications. I need to send data to 3rd party API/Service without any vulnerabilities(especially SQL injections). – Venkata Pujarla Feb 07 '18 at 20:47
  • 2
    How is it not the 3rd party's responsibility to make sure their APIs aren't vulnerable? – itsme86 Feb 07 '18 at 20:49
  • May I know why this question is devoted? – Venkata Pujarla Feb 07 '18 at 22:02
  • 1
    If you know its a duplicate, then *don't ask a duplicate*. –  Feb 07 '18 at 22:17

1 Answers1

-1

Even if you did this, how can you guarantee that someone can't figure out a syntax that your algorithm doesn't catch?

The best way is to always use parameterized queries, where user input is never simply made part of the query directly, and always encode user input when displaying it.

Jonathan Wood
  • 65,341
  • 71
  • 269
  • 466