How can I avoid SQL injection attacks in my ASP.NET application?
Even though your question is very generic, a few rules always apply:
- Use parameterized queries (
SqlCommand
withSqlParameter
) and put user input into parameters. - Don't build SQL strings out of unchecked user input.
- Don't assume you can build a sanitizing routine that can check user input for every kind of malformedness. Edge cases are easily forgotten. Checking numeric input may be simple enough to get you on the safe side, but for string input just use parameters.
- Check for second-level vulnerabilites - don't build SQL query strings out of SQL table values if these values consist of user input.
- Use stored procedures to encapsulate database operations.
how to prevent SQL Injection in a asp.net website
A regex is unrelated to SQL injection (blacklisting etc is never the strongest approach); however, the use of the parameter @Email
means (assuming it remains parameterised) that is not susceptible to SQL injection.
SQL injection relates to inappropriate concatenation of input; the main tool to fight it is parameters, which has already happened here.
For example, if you did:
var sql = "SELECT ...snip... WHERE Email='" + email + "'"; // BAD!!!!!
then that is heavily susceptible to SQL injection. By using a parameter, the value is not treated as part of the query, so the attacker does not have at attack vector.
C# How can I prevent SQL Injection with ASP.NET?
But as I noticed, this application is very vulnerable for SQL Injection.
No, it is not. You cannot tamper with the actual SQL statement since you use parameters already. There is no SQL injection vulnerability in your code.
Are there global setting prevent the sql injection and XSS ? (ASP.NET)
The best way to prevent SQL injection is: use parameters. Anything else is just a "maybe it'll prevent some attacks" arms race against people who can simply reflect (disassemble) the implementation to see what might make it past.
Xss is likewise best prevented by correctly encoding your outputs. Both aspx and razor make this easy.
Related Topics
Update Float Array from C++ Native Plugin
Multiple SQL Statements in One Roundtrip Using Dapper.Net
C# List - Removing Items While Looping/Iterating
Generate PDF from ASP.NET from Raw HTML/CSS Content
Calling a SQL User-Defined Function in a Linq Query
Error While Using Executenonquery C#
Why Does My C# Array Lose Type Sign Information When Cast to Object
C# Convert Relative to Absolute Links in HTML String
Fixing Gridview Header While Scrolling
How to Convert Xml to JSON Using C#/Linq
Gridview with Fixed Header and Full Page Width Grid
Internal Server Error While Running a Simple .Net Core MVC Application on Ubuntu 16.04
Using SQL Convert Function Through Nhibernate Criterion
Windows Form Application Exception
Find Element in Selenium Using Xpath or CSS Selector
How to Run Sonarqube Code Analysis for .Net Core (C#) on Linux