need to check sql injection validation for the textboxt which take free text

Posted by Lalitha86 under ASP.NET on 8/21/2015 | Points: 10 | Views : 607 | Status : [Member] | Replies : 4

Write New Post |

Search Forums | Answered

Resolved Posts |

Un Answered Posts |

Forums Home

can any one let me knw how to validate SQL injection in asp.net for the textbox which takes free text that is combination of number,alpha and special character

Reply | Reply with Attachment

Alert Moderator

Responses

Posted by: Pankajchoudhary on: 8/21/2015 [Member] Starter | Points: 25

0	Hello Lalitha you can refers these sites for injection https://msdn.microsoft.com/en-us/library/ff648339.aspx http://www.codeproject.com/Articles/604268/Hack-Proof-Your-ASP-NET-Applications-From-SQL-Inje Lalitha86, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Pankajchoudhary on: 8/21/2015 [Member] Starter | Points: 25

0	You can refers following links http://www.codeproject.com/Articles/604268/Hack-Proof-Your-ASP-NET-Applications-From-SQL-Inje https://msdn.microsoft.com/en-us/library/ff648339.aspx Lalitha86, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Narenkumar851 on: 10/22/2015 [Member] Starter | Points: 25

0	you can try for sql injection attack by the following scripts like 'a==a' Sql injection attack http://dotprogramming.blogspot.com/2014/11/example-of-sql-injection-attack.html Also i have a solution of it , if you want to use http://dotprogramming.blogspot.com/2014/12/prevention-from-sql-injection-attack-in.html Lalitha86, if this helps please login to Mark As Answer. \| Alert Moderator

Posted by: Rajnilari2015 on: 10/23/2015 [Member] [Microsoft_MVP] [MVP] Platinum | Points: 25

0	Avoid creating inline sql query(s) as below: string sql = "Select * from tablename where SomeColumn = " + txtBoxValue.Text; Instead use Parameterized queries as under "Select * from tablename where SomeColumn = @SomeColumnValue " Even better Convert all of the parametrized queries to stored procedures . Please read: a) http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev b) http://www.codeproject.com/Articles/813965/Preventing-SQL-Injection-Attack-ASP-NET-Part-I c) https://msdn.microsoft.com/en-us/library/ff647397.aspx However, the below REGEX for SQL Injection should work string regexForSQLInjection = @"/\w((\%27)\|(\'))((\%6F)\|o\|(\%4F))((\%72)\|r\|(\%52))/ix"; But please don't try to do this with RegEx. Instead (as provided in the above links), use Parameters, these are in the BCL and have anti SQL injection measures built in. However, you can also use a SQL parser which will help with sanitizing attempts. e.g.http://www.sqlparser.com/ or http://sourceforge.net/projects/osqlp/ Long time back, I wrote an article of Tokenizing TSQL script using TSql100Parser* . You can even go through the article ( http://www.dotnetfunda.com/articles/show/2337/using-tsql100parser-to-tokenize-tsql-script ) for a better understanding of making a SQL Parser of your own. Another way is to create a Custom AntiForgeryToken filter and apply that to your Model in BCL. public class AntiForgeryAttribute: IAuthorizationFilter { public void OnAuthorization(AuthorizationContext authorizationContext) { if (authorizationContext.RequestContext.HttpContext.Request.HttpMethod != "POST") return; new ValidateAntiForgeryTokenAttribute().OnAuthorization(authorizationContext); } } Source: http://prideparrot.com/blog/archive/2012/7/securing_all_forms_using_antiforgerytoken More on AntiforgeryToken: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/ Hope this will help you -- Thanks & Regards, RNA Team Lalitha86, if this helps please login to Mark As Answer. \| Alert Moderator

Avoid creating inline sql query(s) as below:

string sql = "Select * from tablename where SomeColumn = " + txtBoxValue.Text;

Instead use Parameterized queries as under

"Select * from tablename where SomeColumn = @SomeColumnValue "

Even better Convert all of the parametrized queries to stored procedures .

Please read:

a) http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev

b) http://www.codeproject.com/Articles/813965/Preventing-SQL-Injection-Attack-ASP-NET-Part-I

c) https://msdn.microsoft.com/en-us/library/ff647397.aspx

However, the below REGEX for SQL Injection should work

string regexForSQLInjection = @"/\w*((\%27)|(\'))((\%6F)|o|(\%4F))((\%72)|r|(\%52))/ix";

But please don't try to do this with RegEx.

Instead (as provided in the above links), use Parameters, these are in the BCL and have anti SQL injection measures built in.

However, you can also use a SQL parser which will help with sanitizing attempts. e.g.http://www.sqlparser.com/ or http://sourceforge.net/projects/osqlp/

Long time back, I wrote an article of Tokenizing TSQL script using TSql100Parser . You can even go through the article ( http://www.dotnetfunda.com/articles/show/2337/using-tsql100parser-to-tokenize-tsql-script ) for a better understanding of making a SQL Parser of your own.

Another way is to create a Custom AntiForgeryToken filter and apply that to your Model in BCL.

public class AntiForgeryAttribute: IAuthorizationFilter
{
    public void OnAuthorization(AuthorizationContext authorizationContext)
    {
        if (authorizationContext.RequestContext.HttpContext.Request.HttpMethod != "POST")
            return;
 
        new ValidateAntiForgeryTokenAttribute().OnAuthorization(authorizationContext);
    }
}

Source: http://prideparrot.com/blog/archive/2012/7/securing_all_forms_using_antiforgerytoken

More on AntiforgeryToken: http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

Hope this will help you

--
Thanks & Regards,
RNA Team

Lalitha86, if this helps please login to Mark As Answer. | Alert Moderator

Latest Posts