How do I prevent a db injection attempt application break
-
Hi there, I need to prevent possible db injection attacks, I have proper validation strings in the form to replace potentially harmful characters, however there seams to be something built into .NET that screams when it sees the angle bracket followed by the word "script" before it performs any validation or string replacement function. I know hackers use these errors to thier advantage, so how can I keep the site from breaking at all if someone attempts to use this tactic to inject my database? The only solution I can think of is to use a custom generic error page - that of course reveals no info - but the fact that an error occured does. Any suggestions? - Thanks!
-
Hi there, I need to prevent possible db injection attacks, I have proper validation strings in the form to replace potentially harmful characters, however there seams to be something built into .NET that screams when it sees the angle bracket followed by the word "script" before it performs any validation or string replacement function. I know hackers use these errors to thier advantage, so how can I keep the site from breaking at all if someone attempts to use this tactic to inject my database? The only solution I can think of is to use a custom generic error page - that of course reveals no info - but the fact that an error occured does. Any suggestions? - Thanks!
You may want to add a validateRequest="false" in the page directive to disable the validation, and use SQL parameters to prevent potential SQL injection. Also, read about cross site scripting (XSS) while at it b/c your may be vulnerable to it too.
-
Hi there, I need to prevent possible db injection attacks, I have proper validation strings in the form to replace potentially harmful characters, however there seams to be something built into .NET that screams when it sees the angle bracket followed by the word "script" before it performs any validation or string replacement function. I know hackers use these errors to thier advantage, so how can I keep the site from breaking at all if someone attempts to use this tactic to inject my database? The only solution I can think of is to use a custom generic error page - that of course reveals no info - but the fact that an error occured does. Any suggestions? - Thanks!
User Parameterized queries and stop assuming that the user is feeding your application the correct data. Look at this Introduction to SQL Injection [^] Hope it Helps
Vuyiswa Maseko, Few companies that installed computers to reduce the employment of clerks have realized their expectations.... They now need more and more expensive clerks even though they call them "Developers" or "Programmers." C#/VB.NET/ASP.NET/SQL7/2000/2005/2008 http://www.vuyiswamaseko.tiyaneProperties.co.za vuyiswa@its.co.za http://www.itsabacus.co.za/itsabacus/