Wednesday, February 22, 2012

How to Prevent SQL Injection in ASP.NET

Step 1. Constrain Input
You should validate all input to your ASP.NET applications for type, length, format, and range. By constraining the input used in your data access queries, you can protect your application from SQL injection.

Step 2. Use Parameters with Stored Procedures
Using stored procedures does not necessarily prevent SQL injection. The important thing to do is use parameters with stored procedures. If you do not use parameters, your stored procedures can be susceptible to SQL injection if they use unfiltered input as described in the "Overview" section of this document.

Step 3. Use Parameters with Dynamic SQL

ASP.NET Caching, Micro-Caching, and Performance

Caching is your friend. If you have to present data that comes out of a database, and you run a website that gets a lot of traffic and requests, especially if the data is "read only"  (which it almost always is), you can get - in most cases - vastly improved throughput by caching this data for as little as 1/2 of one second.