Friday, February 19, 2010

SQL injection

Constrain input.
We should validate all input to your ASP.NET applications for type, length, format, and range. By constraining the input used in your data access queries; you can protect your application from SQL injection.

Constrain Input in ASP.NET Web Pages

Constrain Input in Data Access Code

Use parameters with stored procedures.
Using stored procedures does not necessarily prevent SQL injection. The important thing to do is use parameters with stored procedures. If you do not use parameters.

Use parameters with dynamic SQL.
If you cannot use stored procedures, you should still use parameters when constructing dynamic SQL statements. The following code shows how to use SqlParametersCollection with dynamic SQL..
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)