How to prevent SQL injection with this method

Question

1.00/5 (1 vote)

See more:

I already have Parameterized Stored Proc.

I want to know how I would prevent single quotes or sql statements like "select..." from being entered into a textbox.

Currently this is my process, I "edit top 200 rows of table" in sql and put in "select * From Table" and then that string will populate the textbox when I run the page. I want to replace "select" with a blank space or "hello".

What I have tried:

I have tried this textbox.ToLower().Replace("select","").Replace("'","''");

Posted 27-May-20 10:22am

Charrlay

Updated 27-May-20 10:53am

v3

Add a Solution

Comments

MadMyche 27-May-20 16:40pm

Unless your Stored Procedure is utilizing Dynamic SQL within it, there is not too much to worry about when Parameters are being used.
Would you care to share the SP code for review?

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

ZurdoDev · Answer 1 · 2020-05-27T10:27:00

Solution 1

In your code you should also use parameters. For example

C#

...
using (SqlCommand cmd = new SqlCommand("SP_Name", sqlCon){
  ...
  cmd.Parameters.AddWithValue ("@param1", textField1.Text);
...
}

In theory, this is sufficient for preventing sql injection. If you want to take it further you could replace known keywords or check for specific ranges of values depending on your data.

Posted 27-May-20 10:27am

ZurdoDev

Comments

Charrlay 27-May-20 16:28pm

Thank you for your quick response but I have also implemented this in my code.

ZurdoDev 27-May-20 16:45pm

Then that's all you need.

Maciej Los 28-May-20 6:09am

5ed!

Patrice T · Answer 2 · 2020-05-27T10:35:00

Quote:
I want to know how I would prevent single quotes or sql statements like "select..." from being entered into a textbox.

You don't need to, if stored proc is done properly. But you didn't show that stored proc.

A couple articles avout sql injection:
SQL injection - Wikipedia[^]
SQL Injection[^]
SQL Injection Attacks by Example[^]
PHP: SQL Injection - Manual[^]
How can I explain SQL injection without technical jargon? - Information Security Stack Exchange[^]