BT

Preventing SQL Injection Attacks in .NET Applications

by Jonathan Allen on Oct 24, 2006 |

Back in September InfoQ reported on Michael Sutton's alarming study of SQL injection vulnerabilities. Fortunately preventing most of them in .NET is not that hard.

SQL injection vulnerabilities are caused by applications that improperly allow users to pass commands to the database. Even simple mistakes creating a SQL command can allow attackers to do massive damage to a database.

Scott Guthrie outlines the most common vector for SQL injection attacks, string concatenation. He then goes on to show a safe method for generating dynamic SQL statements using parameterized queries. He also includes a set of links for those wanting to perform further research.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT