Regular Expression Validator......
-
Hello everyone, I got struck while finding a defense against sql injection.....plz explain how to use regular expression validators on server side so that user is unable to modify source code and inject code.....i found stored procedure a bit of complex so don't wanna use parameterised querries........
-
Hello everyone, I got struck while finding a defense against sql injection.....plz explain how to use regular expression validators on server side so that user is unable to modify source code and inject code.....i found stored procedure a bit of complex so don't wanna use parameterised querries........
greendragons wrote:
defense against sql injection
you should read this article, SQL Injection Attacks and Some Tips on How to Prevent Them[^]
Abhijit Jana | Codeproject MVP Web Site : abhijitjana.net Don't forget to click "Good Answer" on the post(s) that helped you.
-
Hello everyone, I got struck while finding a defense against sql injection.....plz explain how to use regular expression validators on server side so that user is unable to modify source code and inject code.....i found stored procedure a bit of complex so don't wanna use parameterised querries........
greendragons wrote:
i found stored procedure a bit of complex so don't wanna use parameterised querries........
Stored procedure and parameterized queries are not same. Parameterized queries are just normal queries with parameters. I don't think there is any complexity involved in using it and it is the obvious method to prevent SQL injection attacks.
Navaneeth How to use google | Ask smart questions
-
Hello everyone, I got struck while finding a defense against sql injection.....plz explain how to use regular expression validators on server side so that user is unable to modify source code and inject code.....i found stored procedure a bit of complex so don't wanna use parameterised querries........
Hey.. Why do you need Regular Expression validators to prevent from SQL injection.... ?? I think it is good to have data validation in the client side... For Example : "\d+" will only take numeric values... You may use like
"^(Insert|Update|Delete|Select)([A-Z][a-z]+)+"[It might be better if I take time] to ensure that the user dont enter DML statements in input. But why do you need to do this?? I think only a simple thing solves the entire problem. Say you have a TextBox called txtName in the page, you write :using(SqlCommand cmd = new SqlCommand("Update name = @pName where id='23'",con)) //assuming con = SqlConnection
{
SqlParameter param = new SqlParameter("@pName", SqlDbType.NVarchar);
param.value = txtName.Text;// This line will automatically eliminates any SQL injection data.
cmd.Parameters.add(param);
cmd.ExecuteNonQuery();
}Isnt it simple enough??? :cool:
Abhishek Sur
My Latest Articles **Create CLR objects in SQL Server 2005 C# Uncommon Keywords Read/Write Excel using OleDB
**Don't forget to click "Good Answer" if you like to.