0

I want to know if there is anyway to avoid sql injection or XSS while reading a url. For example: https://abc?ID= some unique guid

How to avoid sql injection etc when entered instead of valid GUID.

alice7
  • 3,834
  • 14
  • 64
  • 93

5 Answers5

4

There are a few things you can do.

  1. Start off using parameterized queries or a good ORM.
  2. Look into the C# AntiXSS library.
  3. Sanitize your input.

Read up on preventing SQL Injection

Further reading

SQL Injection is bigger than just the portion you're asking about. You want to be aware of all data going in and coming out of your database. Implement the suggestions above and you "should" be pretty covered.

When it comes to the subject of the original question (?id=[guid]), you want to make sure you're using the System.Guid data type when submitting the query. If the string is NOT a valid GUID, then you know that there's a problem and you shouldn't complete the request (IE: don't even send the request to your repository later, and definitely don't send it as far as the database).

Community
  • 1
  • 1
Chase Florell
  • 46,378
  • 57
  • 186
  • 376
1

Simple. Always sanitize input. Never implicitly trust or execute something received from an external source (user, client machine, etc.).

In the case of a GUID, use the System.Guid datatype instead of a string. That is, in the case of using it in a SQL query, never just concatenate the string representation of the GUID into the query. Use query parameters and pass it an actual System.Guid object, which was created from the received string.

If it fails to create an actual System.Guid when parsing the string, that's an indication of invalid input. At that point you shouldn't even bother with trying to build the SQL query or using the data access layer in any way, just return an error to the user.

David
  • 208,112
  • 36
  • 198
  • 279
0

It sounds like ID would be a number. If it was than it is easy -- just cast the contents to a number and use this typed variable from then on in. If there is something else in the contents the system will just return an error.

Hogan
  • 69,564
  • 10
  • 76
  • 117
0

The first thing you should do is make SQL injection impossible. From my understanding, this approach will not result in SQL Injection. This is referred to as "Parameterized Inputs".

 string commandText = "UPDATE Sales.Store SET Demographics = @demographics "
    + "WHERE CustomerID = @ID;";
 SqlCommand command = new SqlCommand(commandText, connection);
    command.Parameters.Add("@ID", SqlDbType.Int);
    command.Parameters["@ID"].Value = customerID;

    // Use AddWithValue to assign Demographics.
    // SQL Server will implicitly convert strings into XML.
    command.Parameters.AddWithValue("@demographics", demoXml);

The second approach, is to make the GUID not passed through the URL. This makes it extremely easy to modify, so you may want to pass this value through POST instead of GET. Doing this will not protect from SQL injection, but it will make it a little bit more difficult, and will help to ensure data integrity.

More information: http://msdn.microsoft.com/en-us/library/system.data.sqlclient.sqlcommand.parameters.aspx

Localghost
  • 714
  • 3
  • 7
0

Just don't pass the value in the ID query string parameter directly into the database.

You are using C# so you can use query parameters or something like the entity framework which will ensure that the data is formatted correctly for SQL Server (although it may not check whether it is a valid GUID - unless your underlying field or query type forces that)

For more information on SQL Injection Attacks, here's an article I wrote some years ago: http://colinmackay.co.uk/blog/2005/04/23/sql-injection-attacks-and-some-tips-on-how-to-prevent-them/

Colin Mackay
  • 18,736
  • 7
  • 61
  • 88