Preventing SQL Injection Attacks in .NET Applications
Back in September InfoQ reported on Michael Sutton's alarming study of SQL injection vulnerabilities. Fortunately preventing most of them in .NET is not that hard.
SQL injection vulnerabilities are caused by applications that improperly allow users to pass commands to the database. Even simple mistakes creating a SQL command can allow attackers to do massive damage to a database.
Scott Guthrie outlines the most common vector for SQL injection attacks, string concatenation. He then goes on to show a safe method for generating dynamic SQL statements using parameterized queries. He also includes a set of links for those wanting to perform further research.
Uwe Zdun, Rafael Capilla, Huy Tran, Olaf Zimmermann Mar 09, 2014
Olav Maassen, Liz Keogh & Chris Matts Mar 08, 2014