How can I avoid SQL injection attacks in my ASP.NET application?

.net asp.net sql security sql-injection
balaweblog picture balaweblog · Nov 20, 2008 · Viewed 26.4k times · Source

I need to avoid being vulnerable to SQL injection in my ASP.NET application. How might I accomplish this?

Answer

Tomalak picture Tomalak · Nov 20, 2008

Even though your question is very generic, a few rules always apply:

  • Use parameterized queries (SqlCommand with SqlParameter) and put user input into parameters.
  • Don't build SQL strings out of unchecked user input.
  • Don't assume you can build a sanitizing routine that can check user input for every kind of malformedness. Edge cases are easily forgotten. Checking numeric input may be simple enough to get you on the safe side, but for string input just use parameters.
  • Check for second-level vulnerabilites - don't build SQL query strings out of SQL table values if these values consist of user input.
  • Use stored procedures to encapsulate database operations.

Related questions

Read SQL Table into C# DataTable

I've read a lot of posts about inserting a DataTable into a SQL table, but is there an easy way to pull a SQL table into a .NET DataTable?

Read More
In memory database in .net

I have a .net application where i want to use In-Memory data structure. Please advice me how it works in compare to the physical database.

Read More
Connect to AS400 using .NET

I am trying to build a .NET web application using SQL to query AS400 database. This is my first time encountering the AS400. What do I have to install on my machine (or the AS400 server) in order to connect? (…

Read More