Wednesday, February 22, 2012

How to Prevent SQL Injection in ASP.NET

http://web.securityinnovation.com/appsec-weekly/blog/bid/79150/How-to-Prevent-SQL-Injection-in-ASP-NET


Step 1. Constrain Input
You should validate all input to your ASP.NET applications for type, length, format, and range. By constraining the input used in your data access queries, you can protect your application from SQL injection.

Step 2. Use Parameters with Stored Procedures
Using stored procedures does not necessarily prevent SQL injection. The important thing to do is use parameters with stored procedures. If you do not use parameters, your stored procedures can be susceptible to SQL injection if they use unfiltered input as described in the "Overview" section of this document.

Step 3. Use Parameters with Dynamic SQL

No comments:

Post a Comment