How can I avoid SQL injection attacks in my ASP.NET application?

Question

I need to avoid being vulnerable to SQL injection in my ASP.NET application. How might I accomplish this?

Answer 1

SQL injection occurs because the query to the database is being constructed in real time, for example:

SELECT * From Table1 WHERE " + UserInput

UserInput may be malicious and contain other statements that you do not intend.

To avoid it, you need to avoid concatenating your query together.

You can accomplish this by using parametrized queries - check out the DBCommand object for your particular DB flavor.

Answer 2

NEVER trust user input, always validate it, and use sql parameters. Should be enough basis to prevent SQL injection.

Answer 3

Never trust user input - Validate all textbox entries using validation controls, regular expressions, code, and so on

Never use dynamic SQL - Use parameterized SQL or stored procedures

Never connect to a database using an admin-level account - Use a limited access account to connect to the database

Don't store secrets in plain text - Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings

Exceptions should divulge minimal information - Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false

Useful link on MSDN Stop SQL Injection

Answer 4

Use XSS Secured UrlEncode using Microsoft.Security.Application.AntiXss.UrlEncode and SQL injection will not work. Or You can use ASP.NET – JSON – Serialization and Deserialization

Also test your application with SiteDigger from Macfee Fre Tool.

Few More are from here

.NET Security Toolkit v1.0 .NETMon v1.0 Validator.NET v1.0