1

I have a basic C# windows form that allows the user to update a specific field in our MySQL database from a Windows machine. What is the best way to check the string input values in the C# form in order to alter the string to include backslashes for comma's etc but also to prevent against any form of SQL injection?

Many thanks.

Jeremy Thompson
  • 52,213
  • 20
  • 153
  • 256
aHunter
  • 3,180
  • 10
  • 36
  • 45
  • **USE PLACEHOLDERS** Yup. *It's that simple*. And very easily with ADO.NET. (Of course, this doesn't cover all forms of "sanitation", but each of those has it's own well-established technique(s).) –  Mar 21 '12 at 01:44
  • Can you specify if this is Web/Winform/WPF? – Jeremy Thompson Mar 21 '12 at 02:00
  • http://stackoverflow.com/questions/681583/sql-injection-on-insert , http://stackoverflow.com/questions/5468425/how-do-parameterized-queries-help-against-sql-injection –  Mar 21 '12 at 02:01

1 Answers1

1

Generally the quickest approach I've seen is to use an ISAPI filter, like these:

http://www.iis.net/extensions/UrlScan
http://iis6sqlinjection.codeplex.com/

You should also be using Parameter Commands with Stored Procedures.

While your doing this you maze well protect against XSS attacks too, here a fantastic article: http://corneliutusnea.wordpress.com/2009/12/11/xss-attack-your-database-to-detect-missing-output-encoding/

Jeremy Thompson
  • 52,213
  • 20
  • 153
  • 256