Anti SQL Injection Helper
-
I want to take a belt and braces approach to avoiding SQL injection attacks. First step is to obviously used parameterised stored procedures. The second is to write a helper class to check input meets the expected format. To this end I'm thinking of writing a helper class that uses regular expressions.
Imports System.Text.RegularExpressions Public Class AntiSQLInjectionHelper Private Sub New() End Sub Public Shared Function CheckString(ByVal Value As String, ByVal [CheckType] As CheckType) As Boolean Dim pattern As String Select Case [CheckType] Case CheckType.DateString 'Checks for accepted date format pattern = "TODO" Case CheckType.General 'Checks for accepted general format (ie one that doesn't contain any DROP commands etc) pattern = "TODO" Case CheckType.NumberString 'Checks for accepted number format pattern = "TODO" Case CheckType.PasswordString 'Checks for accepted password format pattern = "TODO" Case CheckType.UsernameString 'Checks for accepted username format pattern = "TODO" End Select Return Regex.IsMatch(Value, pattern) End Function Public Enum CheckType DateString NumberString UsernameString PasswordString General End Enum End ClassHas anyone out there got a better way / done anything similar, think its a good idea or know of an alternative? I know there are validation controls that use javascript but a dtermined hacker can circumvent them. Jim -
I want to take a belt and braces approach to avoiding SQL injection attacks. First step is to obviously used parameterised stored procedures. The second is to write a helper class to check input meets the expected format. To this end I'm thinking of writing a helper class that uses regular expressions.
Imports System.Text.RegularExpressions Public Class AntiSQLInjectionHelper Private Sub New() End Sub Public Shared Function CheckString(ByVal Value As String, ByVal [CheckType] As CheckType) As Boolean Dim pattern As String Select Case [CheckType] Case CheckType.DateString 'Checks for accepted date format pattern = "TODO" Case CheckType.General 'Checks for accepted general format (ie one that doesn't contain any DROP commands etc) pattern = "TODO" Case CheckType.NumberString 'Checks for accepted number format pattern = "TODO" Case CheckType.PasswordString 'Checks for accepted password format pattern = "TODO" Case CheckType.UsernameString 'Checks for accepted username format pattern = "TODO" End Select Return Regex.IsMatch(Value, pattern) End Function Public Enum CheckType DateString NumberString UsernameString PasswordString General End Enum End ClassHas anyone out there got a better way / done anything similar, think its a good idea or know of an alternative? I know there are validation controls that use javascript but a dtermined hacker can circumvent them. JimI've never written a class for this... I've always used the Validation controls in my UI code. You might want to check out these two articles, here[^] and here[^], for an idea into using the Validation controls to do what your thinking of. RageInTheMachine9532 "...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
-
I want to take a belt and braces approach to avoiding SQL injection attacks. First step is to obviously used parameterised stored procedures. The second is to write a helper class to check input meets the expected format. To this end I'm thinking of writing a helper class that uses regular expressions.
Imports System.Text.RegularExpressions Public Class AntiSQLInjectionHelper Private Sub New() End Sub Public Shared Function CheckString(ByVal Value As String, ByVal [CheckType] As CheckType) As Boolean Dim pattern As String Select Case [CheckType] Case CheckType.DateString 'Checks for accepted date format pattern = "TODO" Case CheckType.General 'Checks for accepted general format (ie one that doesn't contain any DROP commands etc) pattern = "TODO" Case CheckType.NumberString 'Checks for accepted number format pattern = "TODO" Case CheckType.PasswordString 'Checks for accepted password format pattern = "TODO" Case CheckType.UsernameString 'Checks for accepted username format pattern = "TODO" End Select Return Regex.IsMatch(Value, pattern) End Function Public Enum CheckType DateString NumberString UsernameString PasswordString General End Enum End ClassHas anyone out there got a better way / done anything similar, think its a good idea or know of an alternative? I know there are validation controls that use javascript but a dtermined hacker can circumvent them. JimYou missed the most common solution - use command parameters. You don't need stored procedures to get auto-protection from SQL Injection. Regular expressions are just overkill for this. For normal validation they are appropriate, but not at the database level. In terms of what you are doing, one approach is to create data type classes with built in validation. It is an "ok" solution, and works pretty well with inheritance, e.g.
DBTypeUserNamecan inherit fromDBTypeString. There are downsides to this approach, such as performance (because you are no longer using value types). Last point on validation - like you mentioned, client-side validation is unreliable. Always validate at least once more on the server-side. That said, the validation controls are harder to circumvent than you imply. The javascript is just one layer, the actual validation can be done on the code-behind, like:Sub MySubmit_Clicked() Page.Validate() If Page.IsValid then ... end If end Sub -
I've never written a class for this... I've always used the Validation controls in my UI code. You might want to check out these two articles, here[^] and here[^], for an idea into using the Validation controls to do what your thinking of. RageInTheMachine9532 "...a pungent, ghastly, stinky piece of cheese!" -- The Roaming Gnome
Thanks very much I will look into the articles :) Jim
-
You missed the most common solution - use command parameters. You don't need stored procedures to get auto-protection from SQL Injection. Regular expressions are just overkill for this. For normal validation they are appropriate, but not at the database level. In terms of what you are doing, one approach is to create data type classes with built in validation. It is an "ok" solution, and works pretty well with inheritance, e.g.
DBTypeUserNamecan inherit fromDBTypeString. There are downsides to this approach, such as performance (because you are no longer using value types). Last point on validation - like you mentioned, client-side validation is unreliable. Always validate at least once more on the server-side. That said, the validation controls are harder to circumvent than you imply. The javascript is just one layer, the actual validation can be done on the code-behind, like:Sub MySubmit_Clicked() Page.Validate() If Page.IsValid then ... end If end SubAh I didn't consider command parameters and also traditional custom validation javascript can be circumvented but as you indicated with .NET its a bit more integrated. Thanks for your help, saves me writing unnecessary code. :) Jim