Register now or log in to join your professional community.
This task is related with security which is a bit difficult to implement. First of all you have to know about what SQL injection is and than you can implement it easily.
You have to follow these steps as,
1) Check for input constraints:
for that do not depend on only client side constraints use server side constraint like RegularExpressionValidator or RangeValidator etc.
e.g.
<%@ language="C#" %> <form id="form1" runat="server"> <asp:TextBox ID="SSN" runat="server"/> <asp:RegularExpressionValidator ID="regexpSSN" runat="server" ErrorMessage="Unidentified SSN Number" ControlToValidate="SSN" ValidationExpression="^\\d{3}-\\d{2}-\\d{4}$" /> </form>Code for Constraint input in data accesspublic void CreateNewUserAccount(string name, string password) { if ( !Regex.IsMatch(userIDTxt.Text, @"^[a-zA-Z'./s]{1,40}$")) throw new FormatException("Invalid name format"); if ( !Regex.IsMatch(passwordTxt.Text, @"^(?=.*\\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$" )) throw new FormatException("Invalid password format"); } 2) use SqlParameterCollection() asusing (SqlConnection con = new SqlConnection(connectionString)) { DataSet ds = new DataSet(); SqlDataAdapter SqlDA = new SqlDataAdapter( "LoginStoredProcedure", con); SqlDA.SelectCommand.CommandType = CommandType.StoredProcedure; SqlDA.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar,11); SqlDA.SelectCommand.Parameters["@au_id"].Value = SSN.Text; SqlDA.Fill(ds); }3) Use parameter Batchingusing (SqlConnection con = new SqlConnection(connectionString)) { SqlDataAdapter da = new SqlDataAdapter( "SELECT Emp_Name INTO #Temp1 FROM Employee " + "WHERE Emp_name > @empNameParm; SELECT CompanyName FROM Employee " + "WHERE Country = @countryParm and Emp_Name IN " + "(SELECT Emp_Name FROM #Temp1);", con); SqlParameter empNameParm = da.SelectCommand.Parameters.Add( "@empNameparm", SqlDbType.NChar,5); empNameParm.Value = Emp_Name.Text; SqlParameter countryParm = da.SelectCommand.Parameters.Add( "@countryParm", SqlDbType.NVarChar,15); countryParm.Value = country.Text; con.Open(); DataSet ds = new DataSet(); da.Fill(dataSet); }
try to use sql procedure as much as u can ... caoz there is no chance of sql injection in proceduew parameters
You should use sqlParameter to prevent from sql injection
SQL
select * from tablename where fieldname=@filedname
You should use OracleParameter to prevent from sql injection
Oracle
select * from tablename where fieldname=:filedname
how to apply in .Net
string sql = "select * from tablename where fieldname=@filedname";
SqlConnection connection = new SqlConnection(/* connection info */);
SqlCommand command = new SqlCommand(sql, connection);
command.Parameters.AddWithValue("fieldname", fieldname.Text);
Use stored procedures. Using stored procedures is more secure and fast.
make a input validation over special characters that will make sql injection such as : <> ! '
in MVC.net you can create custom validation and use it as action method annotations.