SQL Injection
SQL Injection
KARTHI_077
Posts: 5Questions: 2Answers: 0
Dear friends,
I have implement datatable using asp.net .. is my problem how to check sql injection in C#
This discussion has been closed.
Answers
I don't know what C# code you are using, so there is little help I can offer at the moment. What code are you using?
Allan
k, i will send it to ur mail my using C# full code ....
It looks like custom code that you have written. Is that correct? I am not the correct person to ask to audit your code and I'm afraid that isn't a service I can offer even with the paid support contracts.
If you need a third party to audit your code I would suggest hiring a freelancer on ODesk, Elance or similar.
Allan
Easy way to prevent SQL injection issues in asp.net with mysql
I prefer ad Hoc style of writing my queries (so I can print them out for trouble shooting purpose). If you don't ad hoc, read no further.
sql = "Update table set field = " & newvalue.fixtextfield() & " where id=" & id
fixtextfield is a string extension that replaces " with "", ' with '', % with %%, and \ with \.
That's all I do, and I pass all SQL Injection routines that have been thrown at me so far.
For numeric fields, never quote them and make sure your variables are always numerical types. That is, id is an integer, number a string.
For date fields, I pass them through a sqldate() format call to ensure the are really dates, and if not set them to null.
sql = "Update table set datefield = " & newvalue.sqldate() & " where id=" & id
in sqldate, is newvalue is a date then it returns '2016-02-06 04:05:15' (with single quotes). If not a date, it returns the string "null" (without quotes).
This method is ingrained to how we write our code.
If I had a large project that already had a few thousands queries, then I would write an extension to the database .open and .execute methods to pick apart the sql statement and validate that all fields are really fields in the database, and then to fixtextfield or sqldate based upon the data type of the database fields.