Injection Attacks

 To prevent SQL-injection attacks,

  • never use string concatenation to build a SQL command,
  • always use the SqlCommand class (or OleDbCommand class, etc) with parameterized commands.
  • if possible consider using stored procedures.

These are some of the common answers in the ASP.NET forums.

All relational databases are vulnerable to SQL-injection attacks. The primary reason for SQL-injection attacks comes through Web applications that combine user input with dynamic SQL to form SQL commands that the application sends to the database.

Bertrand LeRoy's article Please, please, please, learn about injection attacks! explains about Injection attacks in a lucid manner.


  • "# if possible consider using stored procedures."

    If the stored procedure is a dyn. search proc, you're still vulnerable.

    It's simple: use parameters for the values of the predicates in a query.

  • the other item to add is:


    validate all input with data tests....

    if it's a date or a number use reg-ex or other parsing functions and validate the format of that data.

    if it's a text item (this is the big one) test it for several no-no items like extra quote chars signle quotes, double quotes embeded NULL chars, and other stuff...

    in some cases you may need to have a function that simply adds a valid char that does not belong in the text to "escape" some values and make them harmless to your app.

    (like a user entering a commment that has sql text in the comment such as a bug report )

  • Denny, please, do not use such incomplete methods: you're basically recommending a black-list. Read my article to see why you should never rely on black-lists.

  • pls write in deep about SQL injection
    I want to learn types of SQL Injection

  • 苍天有眼啊,让我在有生之年得以观得如此精彩绝伦的帖子。

Comments have been disabled for this content.