Block SQL Injection with websites written in ASP.NET, webiste security


In order to prevent SQL injection from attacking websites written with the ASP.NET platform, you should confirm all the ASP.NET application inputs including: type, length, format and range of input. By restricting the input data used in your data access query, you can protect your applications from SQL injection attacks.


In this article we discuss in depth the aspect of SQL Injection with ASP.Net websites, but you need to understand that SQL Inject can appear even if you use PHP and the database is MySQL, even with the Oracle database may get SQL Injection errors.

1. Do not mistake the “client-side” authentication for security

Start by limiting server-side code for theASP.NET Web site. Do not rely on client-side authentication because it can easily be bypassed. Only use client-side authentication to improve user experience.

To do this you can either filter out strange characters or replace them with valid characters in sql queries. Special characters with sql such as single quotes, double quotes, NULL,% -, … (‘, “,%, r, n, t).

– Be very careful with the expressions that are always true: “OR 1 = 1 OR”. If you don’t pay attention, you can let the hacker show all your data

For example, your sql statement gets information about 1 user itself: select * from Users where uid = ‘abc’, This sentence shows only get 1 record of the same user but A hacker may try to add more select * from Users where uid = ‘abc’ OR 1 = 1, Obviously the result is all the records returned.

– The comment characters “-“, ” xbf”

Suppose if the previous code, the SSN value is held by the ASP.NET TextBox control, you can restrict its input by using the RegularExpressionValidator control as shown below:

If the SSN input is from another source, such as an HTML control, a query string parameter or a cookie, you can restrict the input by using the Regex class from the System.Text.RegularExpressions namespace. Suppose the input is received from a cookie.

Use System.Text.RegularExpressions:

if (Regex.IsMatch (Request.Cookies[“SSN”], “^ d {3} – d {2} – d {4} $”))
{
// access the databases
}
else
{
// handle the bad inputs
}

2. Check the code input at the data access layer.

In similar situations, in addition to ASP.NET page-level authentication, you also need to provide validation in your data access code. 2 common situations in which you need to provide validation in your data access code:

Unreliable client: If the data comes from an unreliable source or you cannot guarantee that the data has been authenticated and restricted, add logical authentication to restrict the data access code input.

Library code: If your data access code is packaged as a library designed to be used by many applications, your data access code must perform its own validation, because you cannot give a fake. Client application security theory.

The following is an example of how data access objects validate input parameters using regular expressions before using the parameters in the SQL statement.

using System;
using System.Text.RegularExpressions;
public void CreateNewUserAccount (string name, string password)
{
// Check name contains only lower cases or upper case letters,
// the apostrophe, a dot, or white space. Also check it is
// between 1 and 40 character long
if (! Regex.IsMatch (userIDTxt.Text, @ “^[a-zA-Z’./s]{1,40} $ “))
throw new FormatException (“Invalid name format”);
if (! Regex.IsMatch (passwordTxt.Text,
@ “^ (? =. * d) (? =. *[a-z]) (? =. *[A-Z]). {8,10} $ “))
throw new FormatException (“Invalid password format”);
}

The following code snippet shows how to use SqlParameterCollection when calling Stored Procedure:

using System.Data;
using System.Data.SqlClient;
using (SqlConnection connection = new SqlConnection (connectionString))
{
DataSet userDataset = new DataSet ();
SqlDataAdapter myCommand = new SqlDataAdapter (
“LoginStoredProcedure”, connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add (“@ au_id”, SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters[“@au_id”].Value = SSN.Text;
myCommand.Fill (userDataset);
}

In this case, the @au_id parameter is treated as a literal value rather than an executable code. Also parameter is checked for type and length. In the previous code, the input value cannot be longer than 11 characters. If the data does not match the type or length specified by the parameter, the SqlParameter class will throw an exception.

Use the Batch parameter

A misconception is that if you concatenate several SQL statements to send batches of batch processing statements to the server in a process, you cannot use parameters.

However, you can use this technique if you are sure the parameter name is not repeated. You can easily do this by making sure to use only unique parameter names in SQL, as shown below:

using System.Data;
using System.Data.SqlClient;
. . .
using (SqlConnection connection = new SqlConnection (connectionString))
{
SqlDataAdapter dataAdapter = new SqlDataAdapter (
“SELECT CustomerID INTO # Temp1 FROM Customers” +
“WHERE CustomerID> @custIDParm; SELECT CompanyName FROM Customers” +
“WHERE Country = @countryParm and CustomerID IN” +
“(SELECT CustomerID FROM # Temp1);”,
connection);
SqlParameter custIDParm = dataAdapter.SelectCommand.Parameters.Add (
“@custIDParm”, SqlDbType.NChar, 5);
custIDParm.Value = customerID.Text;
SqlParameter countryParm = dataAdapter.SelectCommand.Parameters.Add (
“@countryParm”, SqlDbType.NVarChar, 15);
countryParm.Value = country.Text;
connection.Open ();
DataSet dataSet = new DataSet ();
dataAdapter.Fill (dataSet);
}

The tutorial on Taimienphi.vn has shown you how to prevent SQL injection from attacking ASP.NET. It is best to validate all ASP.NET application input to prevent SQL injection from attacking ASP.NET.

A few more principles of SQL security:

– Disable user sa: The default user sa usually has a lot of very high default privileges that hackers can interfere with the operating system, so disable them.

– Use the user with sufficient and appropriate rights: Instead of one user having access to all databases, each database using a user with permission is only allowed to access that database, even you need to create new users only. allow minimum access to the Table, Store Procedure, View …

– Encrypt the connection string to the database, this is useful when you accidentally expose the .config file.

– Set up a firewall on the port for SQL with Microsoft SQL is usually 1433, with MySQL port is 3306

There is also information that Microsoft is introducing an AI-based Security Risk Detection tool to detect vulnerabilities on computers early, to better protect data, we will wait and experience the tool. Security Risk Detection from Microsoft as soon as possible.

https://thuthuat.taimienphi.vn/chan-sql-injection-tan-cong-asp-net-25880n.aspx
While waiting for the protection from Microsoft to take place, you can learn about Oracle, which is also a well-known and popular database used in systems that need to be trusted as well as telecommunications. , banks, government bloc … Compare SQL Server and Oracle

.

Add a Comment

Your email address will not be published. Required fields are marked *