× {{alert.msg}} Never ask again
Get notified about new tutorials RECEIVE NEW TUTORIALS

Ensure that a string is not an sql command

James Jensen
Feb 10, 2015
<p>The correct way to avoid SQL injection is through <a href="http://msdn.microsoft.com/en-us/library/ms180740%28v=vs.90%29.aspx" rel="nofollow">parameterized queries</a>, which actually encode any values that wouldn't fit properly into the SQL context they're being injected into.</p> <p>Supposing there's a vast bulk of legacy code that you know is vulnerable to SQL injection, you could still try checking for suspicious values on input in another part of your code. For example, by default ASP.NET <a href="http://referencesource.microsoft.com/#System.Web/xsp/system/Web/CrossSiteScriptingValidation.cs" rel="nofollow">tries to prevent</a> javascript/HTML injection using a filter on every request.</p> <p>But this approach is open to false-positives, where you reject perfectly legitimate data because it looks like it was intended to be an injection attack. And it's not nearly as reliable as writing your data-access code with best practices in the first place.</p> <p>This tip was originally posted on <a href="http://stackoverflow.com/questions/24331913/Ensure%20that%20a%20string%20is%20not%20an%20sql%20command/24331940">Stack Overflow</a>.</p>
comments powered by Disqus