Avoiding an Sql injection attack
I have an asp.net application. In which i have this code:
using (Data.connexion)
{
string queryString = @\"select id_user , nom, prenom, mail, login
-
Always use command parameters to avoid sql injection. Sql injections are handled by Command Parameter automatically. You don't need to worry about sql injection if you use command parameters.
When you don't use command parameters, the parameters' values are simply inserted in sql query without handling sql injection. But when you use command parameters, ADO.Net handles sql injection for you.
讨论(0) -
The best way to protect against SQL injection is to use parameterised queries.
You can make it as safe when concatenating values into a string, but you have to do it exactly right, and the exact method differs between database brands.
For SQL Server, you would encode the string values by doubling any apostrophes in the string. That way any apostrophes would be interpreted correctly by the database, and it would not be possible to use apostrophes to break out of the string:
string queryString = "select id_user, nom, prenom, mail, login, mdp, last_visite, id_group, id_user_status from USERS where login = '" + _login.Replace("'","''") + "' and mdp = '" + _password.GetHashCode().ToString().Replace("'","''") + "'";But, it's still easier to use parameterised queries, then the database driver does this for you. If you try to handle the encoding yourself, and doesn't get it right, then you are in a worse place, because you think that the problem is handled but it can be wide open to SQL injection attacks.
Side note: The
String.GetHashCodemethod is not suited for things like hashing passwords. The implementation of the method can change in the future (as it has in the past), which would make all hashed passwords in the database useless."Do not serialize hash code values or store them in databases." -- http://msdn.microsoft.com/en-us/library/system.string.gethashcode.aspx
讨论(0)
加载中...
- 热议问题