Click here to Skip to main content
14,920,188 members
Please Sign up or sign in to vote.
0.00/5 (No votes)
See more:
Hello there
I created a simple form to submit data by users,
i found that some user missed up with it and inserted 60000 record,
m not sure how he managed to insert these records in less than 5 min
my form is under .net 3.5 framework , and @page directive has validaterequest="true"
any idea how can i increase my application security!!!
Posted

1 solution

Without knowing how your form works, it is difficult to answer, but the basic rules are: never ever concatenate strings to form SQL commands - always use parametrized queries. I don't know how you are doing yours, but in C#, you would replace:
C#
SqlCommand cmd = new SqlCommand("INSERT INTO myTable (textColumn) VALUES ('" + myTextBox.Text + "')", con);
With
C#
SqlCommand cmd = new SqlCommand("INSERT INTO myTable (textColumn) VALUES (@TX)", con);
cmd.Parameters.AddWithValue("@TX", myTextBox.Text);
   
Comments
mrcooll 25-Sep-11 6:20am
   
Hi,
thx for replay,
i allways use parameters in my sql command.
i don't think he managed to use slq injection, what in my mind that he filled the form and auto-submitted it using js-injection "javascript:document.forms.form1.submit()",
cz i stored the CreationDate of the record ,and there is only a miliseconds between each record and the other.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900