Using ASP.NET 2.0/SQL Express...
In places where I allow data input by users (sign up forms, comments,
etc...) do I need to manually safeguard my site against vicious attacks (SQL
injection, etc...)? Should I just run all input thru a filter that removes
all special characters, like asterick, semicolon, etc...? Or, is this
handled internally so I don't have to worry about it? Any suggestions?
Thanks.VB Programmer wrote:
> Using ASP.NET 2.0/SQL Express...
> In places where I allow data input by users (sign up forms, comments,
> etc...) do I need to manually safeguard my site against vicious attacks (S
QL
> injection, etc...)? Should I just run all input thru a filter that remove
s
> all special characters, like asterick, semicolon, etc...? Or, is this
> handled internally so I don't have to worry about it? Any suggestions?
> Thanks.
>
It depends... You can validate your form entries with regular
expressions (client side AND server side) and the like. Other than that,
the main thing is using parameterized queries - *NOT* string
concatenation to make your SQL queries (that's really asking for
trouble). That would be a good start :) ASP.NET also does protect you to
some extent.
john smith wrote:
> VB Programmer wrote:
> It depends... You can validate your form entries with regular
> expressions (client side AND server side) and the like. Other than that,
> the main thing is using parameterized queries - *NOT* string
> concatenation to make your SQL queries (that's really asking for
> trouble). That would be a good start :) ASP.NET also does protect you to
> some extent.
What he said ^
Also, when using regular expressions, look for GOOD input, and reject
anything that doesn't match. Doing it the other way around, you're
bound to miss something...
Damien
Hi, as part of your research, you should investigate a product I wrote that
handles SQL Injection and Cross Site Scripting attacks. It is VAM: Visual
Input Security. (http://www.peterblum.com/vise/home.aspx)
-- Peter Blum
www.PeterBlum.com
Email: PLBlum@.PeterBlum.com
Creator of "Professional Validation And More" at
http://www.peterblum.com/vam/home.aspx
"VB Programmer" <dont@.emailme.com> wrote in message
news:eGdttg6JGHA.916@.TK2MSFTNGP10.phx.gbl...
> Using ASP.NET 2.0/SQL Express...
> In places where I allow data input by users (sign up forms, comments,
> etc...) do I need to manually safeguard my site against vicious attacks
> (SQL injection, etc...)? Should I just run all input thru a filter that
> removes all special characters, like asterick, semicolon, etc...? Or, is
> this handled internally so I don't have to worry about it? Any
> suggestions?
> Thanks.
>
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment