Protecting Against SQL Injection Attacks in ASP.NET
Introduction
Unscrupulous users can use poorly secured input forms as a means to gain access to and modify sensitive data, or even eliminate the whole database. This article will explain a number of precautions and methods to undertake to beef up the security around your ASP.NET Web Applications. The common points that make your data access code vulnerable to these types of attacks include:
- Little or no validation on user input;
- Using database accounts with too high an authority, or privileges; and
- Dynamic SQL statements without the safeguard of type-safe parameters.
Try Server Intellect for Windows Server Hosting. Quality and Quantity!
What we will learn in this article:
- How to validate user input on ASP.NET Web Forms;
- How to create and use Stored Procedures instead of inline SQL Statements; and
- How to build type-safe parameters in our data access code.
Getting Started
In this example, we will be creating a sample database and a sample web form in Visual Studio .NET 2008. If you are using an older version of VS.NET, then there may be other steps needed that are not covered in this article. Also, we will be using VS.NET to create our SQL database and Stored Procedures.
But first, we will create the database before moving onto the Web Form. Let's go ahead and right-click on the App_Data folder in Solution Explorer and choose Add New Item.. SQL Server Database. Give it a name if you wish, and then click Ok.
[Click to enlarge]
If you're looking for a really good web host, try Server Intellect - we found the setup procedure and control panel, very easy to adapt to and their IT team is awesome!
You'll notice that we then have the Server Explorer window open, displaying the database:
We can now create a table in our database by right-clicking the Tables folder and choosing to Add New Table. We will create a column ID, which will be the Primary Key and Identity Specification (in Column Properties), Name and Phone, which will both be of type varchar:
Server Intellect assists companies of all sizes with their hosting needs by offering fully configured server solutions coupled with proactive server management services. Server Intellect specializes in providing complete internet-ready server solutions backed by their expert 24/365 proactive support team.
Now we have created our table, we can move onto our Web Form.
We will create a simple form where we allow the user to insert new records, of which will be Name and Phone, to a SQL database. We will use a Repeater to display the results on the page, and then two textboxes and a button.
The code will look something like this:
<asp:ScriptManager ID="SM1" runat="server" />
<asp:UpdatePanel ID="UP1" runat="server">
<asp:Repeater ID="Repeater1" runat="server">
<br />
Name: <asp:TextBox ID="fld_Name" runat="server" MaxLength="25" /> Phone: <asp:TextBox ID="fld_Phone" runat="server" Columns="12" MaxLength="12" /> <br />
<asp:Button ID="but_Submit" runat="server" Text="Add" onclick="but_Submit_Click" />
</ContentTemplate>
</form>
On this form, you'll notice we have the Repeater set up so that we can display each of the records from the database. We also display two textboxes - one for the Name, and one for the Phone. We have set the MaxLength of the textboxes to make sure we know how long the data is going to be. Here is where we will tighten up security on the front-end by adding an ASP.NET Validator. We will us a Regular Expression validator to allow only a string in the format of a US Phone Number to be entered. Drag a Regular Expression Validator onto the ASPX page from the Validation Toolbox. We can then goto the Properties and click on the ValidationExpression option. We will then be presented with a number of preset expressions. Scroll down to US Phone Number and click Ok.
If you're looking for a really good web host, try Server Intellect - we found the setup procedure and control panel, very easy to adapt to and their IT team is awesome!
This validator will only work if the user's browser has JavaScript enabled, so to strengthen this implementation, it is recommended that we use the Page.IsValid method on the codebehind. Our ASPX code will now look something like this:
<asp:ScriptManager ID="SM1" runat="server" />
<asp:UpdatePanel ID="UP1" runat="server">
<asp:Repeater ID="Repeater1" runat="server">
<br />
Name: <asp:TextBox ID="fld_Name" runat="server" MaxLength="25" />
Phone: <asp:TextBox ID="fld_Phone" runat="server" Columns="12" MaxLength="12" />
ValidationExpression="((\(\d{3}\) ?)|(\d{3}-))?\d{3}-\d{4}" />
<asp:Button ID="but_Submit" runat="server" Text="Add" onclick="but_Submit_Click" />
</ContentTemplate>
</form>
Now moving to our code-behind, we will implement the button click handler and set the Repeater data source on page load:
{
Repeater1.DataBind();
protected void but_Submit_Click(object sender, EventArgs e)
{
{
{
else
{
We used over 10 web hosting companies before we found Server Intellect. Their dedicated servers and add-ons were setup swiftly, in less than 24 hours. We were able to confirm our order over the phone. They respond to our inquiries within an hour. Server Intellect's customer support and assistance are the best we've ever experienced.
Notice here, we also use Regular Expressions to verify that the name only consists of alpha-numeric characters. To use RegEx in the code-behind, we need to add the System.Text.RegularExpressions reference.
Next, we will add a Class to the project. Right-click the Project in Solution Explorer and choose Add ASP.NET Folder > App_Code. Then right-click the App_Code folder and choose to Add New Item.. Class. We will name it SQLInjection.cs
We will add the following assembly references to this class:
We use these namespaces because we will be referencing the WebConfigurationManager to get the Connection String from the Web.config, and also we will be using the SqlClient to connect to our database.
Our Connection String looks like this:
Before we add our methods to the new Class, let's add our Stored Procedures. These are just like SQL Statements, but they reside in the database.
To create a new Stored Procedure, right-click the Stored Procedures folder in the Server Explorer, then choose Add New Stored Procedure. We will have something like this:
(
@parameter1 int = 5,
@parameter2 datatype OUTPUT
) */
RETURN
We can replace this starter code with the following, to create a new Stored Procedure named sp_AddData:
@Phone varchar(12)
VALUES (@Name,@Phone)
If you're ever in the market for some great Windows web hosting, try Server Intellect. We have been very pleased with their services and most importantly, technical support.
We also do the same to create another Stored Procedure:
AS
The Stored Procedures will be created once we save them.
Now that we have our Stored Procedures, we can turn our attention to our Class, in which we will create two methods - one to retrieve all the data from the database, and another to add a new record to the database:
{
SqlConnection connection = new SqlConnection(WebConfigurationManager.ConnectionStrings["ConnectionString"].ToString());
try
{
cmd.CommandType = CommandType.StoredProcedure;
connection.Open();
SqlDataAdapter adapter = new SqlDataAdapter(cmd);
adapter.Fill(allData);
connection.Close();
catch
{
return allData;
public static bool AddData(String theName, String thePhone)
{
try
{
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.Add("@Name", SqlDbType.VarChar, 25);
cmd.Parameters["@Name"].Value = theName;
cmd.Parameters.Add("@Phone", SqlDbType.VarChar, 12);
cmd.Parameters["@Phone"].Value = thePhone;
connection.Open();
cmd.ExecuteNonQuery();
connection.Close();
return true;
catch
{
return false;
We are using Server Intellect and have found that by far, they are the most friendly, responsive, and knowledgeable support team we've ever dealt with!
Notice that we reference the name of the Stored Procedure in the SqlCommand, and also set the type of Stored Procedure. Furthermore, with the AddData method, we are required to pass the values to the Stored Procedure as to add to the database. We do this using the Parameters.Add method of the SqlCommand. We also specify the type, as to type-safe the input data.
The final thing that we need to do is to modify our button click code:
{
else
{
Repeater1.DataSource = SQLInjection.GetAllData();
Repeater1.DataBind();
Here, we are simply calling the method we created in the Class to add the contents of the textboxes to the database - but only if the Page Is Valid (is a valid US Phone number) and Name consists of alpha-numeric characters.
What we have Learned
We have learned how to protect our database from SQL Injection Attacks by making it more difficult for users to gain unauthorized access via input forms.
Attachments
Leave a Comment
#1 Joseph Marinaccio
Posted By: Joseph Marinaccio | 12.22.2008 at 11:01 PM
Another awesome article!
Thank you,
Joseph Marinaccio
Marinaccio Family Design
#2 Dulwan Baddewithana
Posted By: Dulwan Baddewithana | 4.08.2009 at 9:40 PM
Hey thanks for the nice article..
#3 wwwww
Posted By: wwwww | 7.13.2009 at 8:29 PM
><script><"Hacking Your Website"></script>
#4 EWREW
Posted By: EWREW | 7.13.2009 at 8:30 PM
><script><"Hacking Your Website"></script>
#5 coolnik999
Posted By: coolnik999 | 7.31.2009 at 1:00 PM
this technical team of yours is very good.....
#6 Teaching degree
Posted By: Teaching degree | 8.29.2009 at 12:16 AM
Furthermore, with the AddData method, we are required to pass the values to the Stored Procedure as to add to the database.
#7 Social work degree
Posted By: Social work degree | 8.29.2009 at 12:16 AM
It was great post.
#8 Nutrition degree
Posted By: Nutrition degree | 8.29.2009 at 12:16 AM
The Stored Procedures will be created once we save them.
#9 Nursing Diploma
Posted By: Nursing Diploma | 8.29.2009 at 12:17 AM
Notice here, we also use Regular Expressions to verify that the name only consists of alpha-numeric characters.
#10 Computer school
Posted By: Computer school | 8.29.2009 at 12:17 AM
I really gathered much from this.Thanks for sharing.
#11 Tiffany Rings
Posted By: Tiffany Rings | 10.23.2009 at 7:37 AM
i like
#12 Tom Ford Eyeglasses
Posted By: Tom Ford Eyeglasses | 11.20.2009 at 5:26 PM
When we are working in ASP.NET there are certain issues like the injection attacks, these tips are really useful for protecting. THanks
#13 Tom Ford Eyeglasses
Posted By: Tom Ford Eyeglasses | 11.23.2009 at 5:43 AM
I found this post very interesting and useful. The presentation is very good. Nice work. Keep it up.
#14 free online games
Posted By: free online games | 11.24.2009 at 10:57 PM
Furthermore, with the AddData method, we are required to pass the values to the Stored Procedure as to add to the database.
#15 handbags shop
Posted By: handbags shop | 12.26.2009 at 12:27 AM
i like
#16 Red Caviar
Posted By: Red Caviar | 1.06.2010 at 6:12 AM
This validator will only work if the user's browser has JavaScript enabled, so to strengthen this implementation, it is recommended that we use the Page.IsValid method on the codebehind. Our ASPX code will now look something like same
#17 bus lines New York
Posted By: bus lines New York | 1.06.2010 at 6:49 PM
Protecting against injection attack is very important for your code security. I am happy to find the coding. Thanks for sharing.
#18 new york web design
Posted By: new york web design | 1.07.2010 at 2:48 AM
Furthermore, with the AddData method, we are required to pass the values to the Stored Procedure as to add to the database.
#19 tiensshop
Posted By: tiensshop | 1.09.2010 at 3:25 AM
I am happy to find the coding which is Protecting against injection attack because this very important for your code security. . Thanks for sharing.
#20 Movers Long Island
Posted By: Movers Long Island | 1.14.2010 at 4:38 PM
Really nice and helpful post. I always appreciate topics like these being discussed to aware people. thanks for sharing.
#21 flowers san jose
Posted By: flowers san jose | 1.16.2010 at 1:13 PM
this is great
#22 Limousine Service NY
Posted By: Limousine Service NY | 1.17.2010 at 4:49 PM
SQL Injection attacks in ASP.net is a big problem, I am happy to find how to cover that. Thanks for the coding
#23 Digital Printing
Posted By: Digital Printing | 1.28.2010 at 10:33 PM
I must say that this is a great post. I loved reading it. You have done a great job
#24 PMI-001
Posted By: PMI-001 | 2.12.2010 at 1:22 AM
Clarifications: on the acknowledgment to cilia vs. action above. While not absolutely incorrect, this acknowledgment is inadequate. Accoutrement abide aural a process. A action can accommodate assorted threads. The operating arrangement contains assorted processes. A action is associated with a specific job object; this article is acclimated to ascertain the abstracts structures appropriate for a action to become executable. A action is executable because one of the accoutrement that it contains is executable. When the action is called for execution, the abstracts structures are mapped for the CPU and beheading begins on the executable thread.
#25 642-825
Posted By: 642-825 | 2.12.2010 at 1:22 AM
AS EJB technology enables accelerated and simplified development of distributed, transactional, defended and carriageable applications based on Java technology which technology is accessible in .Net?
#26 1Y0-A05
Posted By: 1Y0-A05 | 2.12.2010 at 1:23 AM
Machine config:it sets the abject agreement for all the .net assemblies active on the server web config:This sets the abject config for all the web app and override settings in apparatus configuration
#27 70-642
Posted By: 70-642 | 2.13.2010 at 5:50 AM
Below is a simple function that will give you some protection against an SQL Injection attempt.
The sample script below retrieves the form values entered into the textboxes 'txtUsername' and 'txtPassword' and assigns them to variables 'sUsername' and 'sPassword'. The next line of code calls the function IllegalChars and passes in the variables as parameters.
The function IllegalChars holds an array of illegal characters and words, it loops through these checking for their presence against our variables using the InStr function. If any are present in either of our variables then IllegalChars returns False. In that scenario the visitor will be redirected to the file 'no_access.asp'.
#28 online sildenafil
Posted By: online sildenafil | 2.17.2010 at 3:03 PM
Try Server Intellect for Windows Server Hosting. Quality and Quantity - VERY quality!
#29 coach handbag outlet
Posted By: coach handbag outlet | 2.25.2010 at 11:28 PM
Should I give up?
#30 SalazarMandy27
Posted By: SalazarMandy27 | 2.27.2010 at 1:48 AM
If you are in the corner and have no cash to go out from that, you will have to take the <a href="http://lowest-rate-loans.com/topics/home-loans">home loans</a>. Because that will aid you emphatically. I take car loan every year and feel myself great just because of this.
#31 multiplayer games
Posted By: multiplayer games | 3.07.2010 at 3:32 AM
I found your site from cuil and it is very informative. Thank you very much for sharing such an awesome blog post!!!!
#32 security cameras
Posted By: security cameras | 3.10.2010 at 8:00 AM
Wow. This Blog is truly a gold mine. I will actually try these tips and let you know how they work out! Thanks again mate.
#33 electric power tools
Posted By: electric power tools | 3.15.2010 at 1:57 AM
Thx. This's useful, as at first glance the farmer may think there is no difference.
#34 full color printing
Posted By: full color printing | 3.18.2010 at 4:56 AM
these tips are really useful for protecting. THanks
#35 escorts sydney
Posted By: escorts sydney | 3.18.2010 at 10:11 AM
When the action is called for execution, the abstracts structures are mapped for the CPU and beheading begins on the executable thread.
#36 1Z0-053
Posted By: 1Z0-053 | 3.19.2010 at 4:37 AM
Great code, I hope, that it will help my in my project, but any way, you have done great work.
#37 Computer Repair Milnrow
Posted By: Computer Repair Milnrow | 3.21.2010 at 3:37 PM
This validator will only work if the user's browser has JavaScript enabled
#38 term paper
Posted By: term paper | 4.02.2010 at 7:06 AM
You have distinguished writing skillfulness and you topic looks the best. I opine that good students will like to write the essays of such quality and the persuasive essay writing service would do that for them.
#39 essays
Posted By: essays | 4.03.2010 at 3:57 AM
You have defeated my expectations; I am absolutely content with your message it will help me in my essay or custom term papers writing. Thank you so much. I will surely keep in touch.
#40 buy research papers online
Posted By: buy research papers online | 4.06.2010 at 8:01 AM
Incorrectly performed writing services essays would fail your success. But, when you buying essay papers of very high quality, all would be great.
#41 thesis
Posted By: thesis | 4.06.2010 at 8:21 AM
All people should treat legal dissertation just about this good post correctly, just because they will need it a thesis writing service in a future life.
#42 buy custom essay papers
Posted By: buy custom essay papers | 4.08.2010 at 9:57 AM
You can buy term paper or buy custom essay papers about this topic, at the research paper writing service.
#43 re Those athletes just starting triathlon training and haven't tried this sport before need to follow a few basic steps to impro
Posted By: re Those athletes just starting triathlon training and haven't tried this sport before need to follow a few basic steps to impro | 4.08.2010 at 12:14 PM
"How to Protect Against SQL Injection Attacks in ASP.NET" its one of my favorite post. Thanks for informative sharing.
#44 thesis writing
Posted By: thesis writing | 4.09.2010 at 5:46 PM
We should receive dissertation service or dissertation subject. But to demonstrate that you are real professional, you would use buy thesis.
#45 logo design
Posted By: logo design | 4.15.2010 at 5:20 AM
[...]validator will only work if the user's browser has JavaScript enabled, so to strengthen this implementation, it is recommended that we use the Page.IsValid method on the codebehind.[...]
#46 70-450 dumps
Posted By: 70-450 dumps | 4.20.2010 at 9:21 AM
I like your blog very much.
#47 mcitp braindumps
Posted By: mcitp braindumps | 4.20.2010 at 9:21 AM
Thanks for sharing.
#48 dumps for ccna
Posted By: dumps for ccna | 4.20.2010 at 9:21 AM
Your blog is great.
#49 spot uv printing
Posted By: spot uv printing | 4.21.2010 at 7:48 AM
Want to say your article is outstanding. The clarity in your post is simply striking and i can assume you are an expert on this field. Well with your permission allow me to grab your rss feed to keep up to date with forthcoming post. Thanks a million and please keep up the effective work
#50 http://www.storiadeigiochi.com/
Posted By: http://www.storiadeigiochi.com/ | 5.14.2010 at 4:21 AM
I think your script is very much helpful to other.But i want to ask some question from you that,It is not necessary to take the path of folder or images.I try this code many time it looks easy but when I run it do not get any output.But still i think this script need more explanation to run successfully.
#51 646-276 dumps
Posted By: 646-276 dumps | 5.20.2010 at 8:51 AM
I like your blog very much.
#52 117-101 dumps
Posted By: 117-101 dumps | 5.20.2010 at 8:51 AM
Thanks for sharing.
#53 HP0-J22 dumps
Posted By: HP0-J22 dumps | 5.20.2010 at 8:51 AM
Your blog is great and i love it.
#54 notebook battery manufacturer
Posted By: notebook battery manufacturer | 5.21.2010 at 1:53 AM
se poorly secured input forms as a means to gain access to and modify sensitive data, or even eliminate the whole database. This article will explain a number of precautions and methods to undertake to beef up the security around your ASP.NET Web Applications. The common points that make your data access code vulnerable
#55 wholesale shoes
Posted By: wholesale shoes | 5.24.2010 at 3:35 AM
Spring summer pocket perfect supporting role (figure) except heart shape brooch, earring, necklace,
#56 vibram five fingers
Posted By: vibram five fingers | 6.05.2010 at 9:38 AM
That great!Great article!useful That what i'm looking for!
#57 nike air max
Posted By: nike air max | 6.05.2010 at 9:39 AM
This article give me a great help!thank you very much!
#58 Watch TV Shows Online
Posted By: Watch TV Shows Online | 6.10.2010 at 2:16 AM
Very helpful tutorial to Protect Against SQL Injection Attacks in ASP.NET.I was browsing to solve the same problem and found it here. Thanks for sharing.
#59 cheap mbt shoes
Posted By: cheap mbt shoes | 6.18.2010 at 9:03 PM
good post!!thank you
#60 magic of growing taller
Posted By: magic of growing taller | 6.23.2010 at 6:47 AM
I admire the valuable information you offer in your articles. I will bookmark your blog and have my children check up here often. I am quite sure they will learn lots of new stuff here than anybody else!
#61 full truth about abs
Posted By: full truth about abs | 6.23.2010 at 6:48 AM
Loved to read your blog. I would like to suggest you that traffic show most people read blogs on Mondays. So it should encourage bloggers to write new write ups over the weekend primarily.
#62 Acai Max Cleanse
Posted By: Acai Max Cleanse | 7.16.2010 at 9:17 AM
It was a beneficial workout for me to go through your webpage. It definitely stretches the limits with the mind when you go through very good info and make an effort to interpret it properly. I am going to glance up this web site usually on my PC. Thanks for sharing
#63 IT support Manchester
Posted By: IT support Manchester | 7.17.2010 at 10:55 AM
It was a beneficial workout for me to go through your webpage. It definitely stretches the limits with the mind when you go through very good info and make an effort to interpret it properly. I am going to glance up this web site usually on my PC. Thanks for sharing
#64 IT support Manchester
Posted By: IT support Manchester | 7.17.2010 at 10:55 AM
It was a beneficial workout for me to go through your webpage. It definitely stretches the limits with the mind when you go through very good info and make an effort to interpret it properly. I am going to glance up this web site usually on my PC. Thanks for sharing
#65 web design rotherham
Posted By: web design rotherham | 7.20.2010 at 12:48 AM
I would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well
#66 tiffany co
Posted By: tiffany co | 7.21.2010 at 3:13 AM
For classic and quality genuine silver jewelry, many people choose Tiffany & Co brand.Now,we present you the hottest Tiffany silver jewelry .get more http://www.tiffanyonsale.com/
#67 tiffany jewelry
Posted By: tiffany jewelry | 7.21.2010 at 3:13 AM
For classic and quality genuine silver jewelry, many people choose Tiffany & Co brand.Now,we present you the hottest Tiffany silver jewelry .get more http://www.tiffanyonsale.com/
#68 tiffany jewellery
Posted By: tiffany jewellery | 7.21.2010 at 3:13 AM
For classic and quality genuine silver jewelry, many people choose Tiffany & Co brand.Now,we present you the hottest Tiffany silver jewelry .get more http://www.tiffanyonsale.com/
#69 authentic jordans
Posted By: authentic jordans | 7.23.2010 at 4:05 AM
This article will explain a number of precautions and methods to undertake to beef up the security around your ASP.NET Web Applications
#70 tiffany ring
Posted By: tiffany ring | 7.26.2010 at 7:11 AM
This is exactly cheap tiffany jewelry you can get cheap Tiffany Rings, Necklaces, Errings, Bracelets and other Tiffany Jewellery.get more http://www.tiffanyonsale.com/
#71 tiffany bracelet
Posted By: tiffany bracelet | 7.26.2010 at 7:11 AM
This is exactly cheap tiffany jewelry you can get cheap Tiffany Rings, Necklaces, Errings, Bracelets and other Tiffany Jewellery.get more http://www.tiffanyonsale.com/
#72 tiffany necklace
Posted By: tiffany necklace | 7.26.2010 at 7:11 AM
This is exactly cheap tiffany jewelry you can get cheap Tiffany Rings, Necklaces, Errings, Bracelets and other Tiffany Jewellery.get more http://www.tiffanyonsale.com/
#73 nike shoes on sale
Posted By: nike shoes on sale | 8.02.2010 at 4:00 AM
www.cheapshoeshop.com/.../Air-Max-Structu
#74 resume
Posted By: resume | 8.18.2010 at 11:26 PM
Are you willing to get resume writing services, which conform the range of science you desire?. You can rely on our resume writers, as you count on yourself. Thanks because this is the useful stuff
#75 T1 Provider
Posted By: T1 Provider | 8.19.2010 at 2:37 AM
Well and skillfully written I really appreciate it most assuredly it can really for the upgrade of our T1 provider site.
#76 T1 Provider
Posted By: T1 Provider | 8.19.2010 at 2:37 AM
Well and skillfully written I really appreciate it most assuredly it can really for the upgrade of our T1 provider site.
#77 CD bag supplier
Posted By: CD bag supplier | 8.19.2010 at 10:38 PM
This article will explain a number of precautions and methods to undertake to beef up the security around your ASP.NET Web Applications. The common points that make your data access code vulnerable to
#78 replica watches
Posted By: replica watches | 8.21.2010 at 12:31 AM
NICE POST
#79 sql injection attacks
Posted By: sql injection attacks | 8.21.2010 at 2:09 PM
I have added your site to my Google bookmarks because of your extraordinary blog layout. But seriously, I think your site has one of the freshest theme I've came across. It really helps make reading your blog a lot easier.
#80 Wholesale Electronics
Posted By: Wholesale Electronics | 8.22.2010 at 10:13 PM
Wholesale Electronics and Gadgets from pickegg.com.Pickegg.com is an online Wholesale Electronics store.Offers consumer electronics and electronic gadgets at best price.
#81 Ugg Boots
Posted By: Ugg Boots | 8.26.2010 at 6:43 AM
Got any reason to say no to cheap UGG boots? UGG boots that prevailed for years will still warm your frozen toes with the featured sheepskin leather,get more http://www.uggbootuksale.com/
#82 DM800
Posted By: DM800 | 8.28.2010 at 12:20 PM
http://www.traderainbow.com http://www.edhardyclothesshop.com www.rolexreplicascollection.com http://www.louis-vuitton-handbag.net/
#83 vibram five fingers
Posted By: vibram five fingers | 8.29.2010 at 10:39 PM
welcome to www.barefivefingers.com