need to check sql injection validation for the textboxt which take free text

Posted by Lalitha86 under ASP.NET on 8/21/2015 | Points: 10 | Views : 374 | Status : [Member] | Replies : 4
can any one let me knw how to validate SQL injection in asp.net for the textbox which takes free text that is combination of number,alpha and special character




Responses

Posted by: Pankajchoudhary on: 8/21/2015 [Member] Starter | Points: 25

Up
0
Down
Hello Lalitha you can refers these sites for injection

https://msdn.microsoft.com/en-us/library/ff648339.aspx
http://www.codeproject.com/Articles/604268/Hack-Proof-Your-ASP-NET-Applications-From-SQL-Inje

Lalitha86, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Pankajchoudhary on: 8/21/2015 [Member] Starter | Points: 25

Up
0
Down
You can refers following links
http://www.codeproject.com/Articles/604268/Hack-Proof-Your-ASP-NET-Applications-From-SQL-Inje
https://msdn.microsoft.com/en-us/library/ff648339.aspx

Lalitha86, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Narenkumar851 on: 10/22/2015 [Member] Starter | Points: 25

Up
0
Down
you can try for sql injection attack by the following scripts like 'a==a'
Sql injection attack http://dotprogramming.blogspot.com/2014/11/example-of-sql-injection-attack.html
Also i have a solution of it , if you want to use
http://dotprogramming.blogspot.com/2014/12/prevention-from-sql-injection-attack-in.html

Lalitha86, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Rajnilari2015 on: 10/23/2015 [Member] [Microsoft_MVP] [MVP] Platinum | Points: 25

Up
0
Down
Avoid creating inline sql query(s) as below:

string sql = "Select * from tablename where SomeColumn = " + txtBoxValue.Text;


Instead use Parameterized queries as under

"Select * from tablename where SomeColumn = @SomeColumnValue "


Even better Convert all of the parametrized queries to stored procedures .

Please read:

a) http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev

b) http://www.codeproject.com/Articles/813965/Preventing-SQL-Injection-Attack-ASP-NET-Part-I

c) https://msdn.microsoft.com/en-us/library/ff647397.aspx

However, the below REGEX for SQL Injection should work

string regexForSQLInjection = @"/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix";


But please don't try to do this with RegEx.

Instead (as provided in the above links), use Parameters, these are in the BCL and have anti SQL injection measures built in.

However, you can also use a SQL parser which will help with sanitizing attempts. e.g.http://www.sqlparser.com/ or http://sourceforge.net/projects/osqlp/


Long time back, I wrote an article of Tokenizing TSQL script using TSql100Parser . You can even go through the article ( http://www.dotnetfunda.com/articles/show/2337/using-tsql100parser-to-tokenize-tsql-script ) for a better understanding of making a SQL Parser of your own.

Another way is to create a Custom AntiForgeryToken filter and apply that to your Model in BCL.

public class AntiForgeryAttribute: IAuthorizationFilter
{
public void OnAuthorization(AuthorizationContext authorizationContext)
{
if (authorizationContext.RequestContext.HttpContext.Request.HttpMethod != "POST")
return;

new ValidateAntiForgeryTokenAttribute().OnAuthorization(authorizationContext);
}
}


Source: http://prideparrot.com/blog/archive/2012/7/securing_all_forms_using_antiforgerytoken

More on AntiforgeryToken: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

Hope this will help you

--
Thanks & Regards,
RNA Team

Lalitha86, if this helps please login to Mark As Answer. | Alert Moderator

Login to post response