Sql injection ,tier architecture [Resolved]

Posted by Raja_89 under C# on 7/15/2016 | Points: 10 | Views : 1267 | Status : [Member] | Replies : 2
Hai

I am developing an website with sdlc practices .How can i secure my website from sql injection After getting values from UI (Values from end -user) and send to DAL with query as well as values How can i go secure my site

Example

U.I
id=textbox.text
psw=textbox2.text
dt.exec_cmd("insert into mytable(id,psw) values('"+id+"','+psw+')");


DAL
exec_cmd(string msg)
{
objsqlcmd = new sqlcommand(msg,constr);
objsqlcmd.execuetenonquery();
}


Wheather can i go with if (tbx.length>0 or tbx.trim () or any other way

Is there any optimal to achieve this function in DAL

Regards




Responses

Posted by: Rajnilari2015 on: 7/15/2016 [Member] [Microsoft_MVP] [MVP] Platinum | Points: 50

Up
0
Down

Resolved
@Raja_89 , please don't. Use Parameterised stored procedures instead. Also, please validate your SQL Query using a regular expression. They are a great way to implement field level validations both at the server and client side.

Also refer this great article ( https://www.troyhunt.com/owasp-top-10-for-net-developers-part-1/ ) for more information.

Hope that helps

--
Thanks & Regards,
RNA Team

Raja_89, if this helps please login to Mark As Answer. | Alert Moderator

Posted by: Bhuvanesh6 on: 7/16/2016 [Member] Starter | Points: 25

Up
0
Down
Please avoid using the in line parameters as you mentioned in question +id+ values.

Strongly recommended to use the stored procedures and insert or update values using parameter values supplied to execute the stored procedures.

Bhuvan

Raja_89, if this helps please login to Mark As Answer. | Alert Moderator

Login to post response