Guarantee the security of the application includes writing a secure code. The code must only open the information and functions required by the client code. Common attacks associated with ADO.NET are SQL INSERTION attacks, which determine private database information from the exception returned from the application.
Hazard: In the SQL Insertion attack, the attacker is inserted into other SQL statements that perform processing in the data source location in your command. These commands can not only modify or destroy the information of the data source, but also you can retrieve your private information. The code that commands the command string with the external input is easy to be attacked by the SQL INSERTION. For example, the following code is easily attacked by SQL INSERTION.
[Visual Basic]
DIM Custid As String = getCustomerid ()
Dim selectString As String = "SELECT * FROM Customers WHERE CustomerID =" & custID Dim cmd As SqlCommand = New SqlCommand (selectString, conn) conn.Open () Dim myReader As SqlDataReader = cmd.ExecuteReader () myReader.Close () conn. Close () attacker can enter a value "1; Drop Table Customers for the Customerid to be queried. This will result in the following commands for this query.
Select * from customs where customerid = 1; Drop Table Customers In order to prevent SQL Insertion attacks, verify the input from the external source and pass the column value as a parameter, not in series to create a SQL statement.
Solution 1: Using regular expressions You can use the regular expression to verify that the input is matched with a specific format. .NET Framework provides a regex object to verify values based on regular expressions. For example, the following code is used to ensure a letter of 5 characters.
[Visual Basic]
Public Static Function Validate (Instring As String) AS Boolean
DIM R as regex = new regex ("^ [A-ZA-Z0-9] {5} $")
Return R.ismatch (Instring)
END FUNCTION
Solution 2: Use the parameter parameters to provide a valid method to organize the values passed with the SQL statement and the value passed to the storage process. In addition, by ensuring that the value received from the external source is only transmitted as a value, not a part of the SQL statement, it is possible to prevent the parameters from being attacked by the SQL INSERTION attack. Therefore, the SQL command inserted into the value is not performed at the data source. Instead, these values transmitted are only considered to be parameter values. The following code shows an example of using the parameter transfer value.
[Visual Basic]
DIM Custid As String = getCustomerid ()
Dim selectString as string = "Select * from customers where customerid = @customerid"
DIM CMD As Sqlcommand = New Sqlcommand (SelectString, Conn)
CMD.Parameters.Add ("@ Customerid", Sqldbtype.varchar, 5) .value = CustId
Conn.open ()
Dim MyReader As SqldataReader = cmd.executeReader () MyReader.close ()
CONN.CLOSE ()
