Click here to Skip to main content
14,919,896 members
Please Sign up or sign in to vote.
1.00/5 (3 votes)
See more:
I divided the approach in to five modules
1- Queries Generation Module
In this module when the application server received input from the user, it dynamically generated the query based on the input, along with the developer-intended query.
2- XML Parsing Module
The queries that generated in the module were then forwarded to an XML parsing component, which converted both queries into XML trees
(X query)
3- Key Generation Module
This module was responsible for secure random key generation. A list of SQL keywords was used to identify SQL keywords in both, intended and actual queries. A secure random key was generated and it was appended to the SQL keywords in both queries X query.
4- Decision Module
This module performed a parallel XML node comparison of the XML nodes added to the stack by the XML parsing module. This comparison was performed till the program either found a mismatch or both stacks were empty. If a mismatch was found, it implied an injection attack since the structure of the intended query and the actual query did not match. If both stacks were empty and no mismatch was found, the program determined the actual query as benign and allowed it to pass further to the database server for execution.
5- Attack Reporting Module
The functioned of this module is only when the decision module determined the user’s query as malicious. It was responsible for reporting a bad query

What I have tried:

I divided the approach in to five modules and I write class that generate random number my problem how I generate dynamic queries
Posted
Updated 4-Nov-16 19:42pm
v3
Comments
[no name] 4-Nov-16 15:04pm
   
http://www.codeproject.com/Messages/5321425/SQL-injection-prevention.aspx

No need to repost this since it's not even a question or a problem.

Why are you going through that song and dance? Just write better sql code.

0) Constrain and sanitize input data. Check for known good data by validating for type, length, format, and range.

1) Use type-safe SQL parameters for data access. You can use these parameters with stored procedures or dynamically constructed SQL command strings. Parameter collections such as SqlParameterCollection provide type checking and length validation. If you use a parameters collection, input is treated as a literal value, and SQL Server does not treat it as executable code. An additional benefit of using a parameters collection is that you can enforce type and length checks. Values outside of the range trigger an exception. This is a good example of defense in depth.
   
That's an awful lot of work to do something that's already easily done if you just pay a little bit of attention to how to write the code to execute a query.

All you're doing with this is making it far more difficult to debug any problems you have with your query.
   

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900