Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Preventing SQL Injection Attacks in .NET Applications

Preventing SQL Injection Attacks in .NET Applications

Back in September InfoQ reported on Michael Sutton's alarming study of SQL injection vulnerabilities. Fortunately preventing most of them in .NET is not that hard.

SQL injection vulnerabilities are caused by applications that improperly allow users to pass commands to the database. Even simple mistakes creating a SQL command can allow attackers to do massive damage to a database.

Scott Guthrie outlines the most common vector for SQL injection attacks, string concatenation. He then goes on to show a safe method for generating dynamic SQL statements using parameterized queries. He also includes a set of links for those wanting to perform further research.

Rate this Article