Please, please, please, learn about injection attacks!

re: Please, please, please, learn about injection attacks!

Bertrand Le Roy — Thu, 08 Jan 2009 00:37:11 GMT

@bahamas4ever: you should use integrated security to avoid sticking passwords in config msdn.microsoft.com/.../ms254500.aspx

re: Please, please, please, learn about injection attacks!

bahamas4ever — Wed, 07 Jan 2009 03:56:38 GMT

using htmlencode/decode works well i have been using it awhile. it is a bit of a pain to have to encode all user input but it works.

i never really thought about the error messages being a weakness but it makes perfect sense, it really would reveal database information.

the db connection thing in webconfig i can't seem to get around not having to put user & password information in it.

any ideas ?

re: Please, please, please, learn about injection attacks!

David Nelson — Tue, 16 Dec 2008 15:45:31 GMT

Did you know you have two "Rule #4"'s? :)

Good writeup, stuff every beginning programmer should know but most never learn.

re: Please, please, please, learn about injection attacks!

Bertrand Le Roy — Fri, 27 Jun 2008 19:21:58 GMT

@Dan: I updated the link. Thanks for the heads up.

re: Please, please, please, learn about injection attacks!

Dan — Fri, 27 Jun 2008 13:48:06 GMT

Bertrand,

the link you highlighted from Kyle Heon no longer seems to work, I just get a page with a load of Chinese characters.

Please can you check or advise on what solution the page revealed?

Thanks

re: Please, please, please, learn about injection attacks!

Bertrand Le Roy — Wed, 18 Jun 2008 16:51:56 GMT

@Todd: thanks for the tip, and I apologize for my English which may sometimes be imprecise as I'm a non-native English speaker. Still, I did some research and here's the definition I found:

"quo·ta·tion mark (plural quo·ta·tion marks) noun

Definition:

punctuation identifying quotation: either of a pair of punctuation marks, either in double (" ") or single (' ') form, used around direct speech, quotations, and titles, or to give special emphasis to a word or phrase"

encarta.msn.com/.../quotation_mark.html

Still, I'll update the post to make this clearer as this definition doesn't seem to be universally adopted and yours is less ambiguous.

re: Please, please, please, learn about injection attacks!

Todd — Wed, 18 Jun 2008 15:39:02 GMT

One thing I see all over the place in programming circles that people mess up all the time is quotes and apostrophes.

A quote is a "

An apostrophe is a '

There is no such thing as a double quote unless it's two quotation marks back to back like ""

If we all help educate people, then perhaps they will start to understand.

SQL Injections

Robert Folkesson — Mon, 02 Jun 2008 19:50:47 GMT

Den senaste tiden har en mängd sajter blivit infekterade av en SQL Injection-attack som använder SQL

re: Please, please, please, learn about injection attacks!

df — Thu, 14 Feb 2008 18:59:10 GMT

hello

i am like hack login admin panel in asp.net web applection !

re: Please, please, please, learn about injection attacks!

Bertrand Le Roy — Mon, 08 Oct 2007 04:55:35 GMT

Jigar: do you mean in an html input tag? Then use an asp:textbox, or just html-encode the value when rendering it.

If you mean in input data in general, the trick is to always use a technique that makes it impossible in the current context to inject code. That means parameters in SQL instead of concatenation, HTML-encoding when rendering HTML, etc. Finally, validate input through a white list.