SQL Injection

Preventing SQL Injection

Use the following countermeasures to prevent SQL injection attacks:

• Constrain input .

• Use type safe SQL parameters .

Constrain Input

Validate input for type, length, format, and range. If you do not expect numeric values, then do not accept them. Consider where the input comes from. If it is from a trusted source that you know has performed thorough input validation, you may choose to omit data validation in your data access code. If the data is from an untrusted source or for defense in depth, your data access methods and components should validate input.

Use Type Safe SQL Parameters

The Parameters collection in SQL provides type checking and length validation. If you use the Parameters collection, input is treated as a literal value and SQL does not treat it as executable code. An additional benefit of using the Parameters collection is that you can enforce type and length checks. Values outside of the range trigger an exception. This is a healthy example of defense in depth.

Use stored procedures where you can, and call them with the Parameters collection.

 SqlDataAdapter myCommand = new SqlDataAdapter("AuthorLogin", conn); myCommand.SelectCommand.CommandType = CommandType.StoredProcedure; SqlParameter parm = myCommand.SelectCommand.Parameters.Add(                        "@au_id", SqlDbType.VarChar, 11); parm.Value = Login.Text; 

 SqlDataAdapter myCommand = new SqlDataAdapter("LoginStoredProcedure '" +                                Login.Text + "'", conn); 

 SqlDataAdapter myCommand = new SqlDataAdapter( "SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id", conn); SqlParameter parm = myCommand.SelectCommand.Parameters.Add("@au_id",                         SqlDbType.VarChar, 11); parm.Value = Login.Text; 

Using Parameter Batching

A common misconception is that if you concatenate several SQL statements to send a batch of statements to the server in a single round trip, then you cannot use parameters. However, you can use this technique if you make sure that parameter names are not repeated. You can easily do this by adding a number or some other unique value to each parameter name during SQL text concatenation.

Using Filter Routines

Another approach used to protect against SQL injection attacks is to develop filter routines that add escape characters to characters that have special meaning to SQL, such as the single apostrophe character. The following code fragment illustrates a filter routine that adds an escape character:

 private string SafeSqlLiteral(string inputSQL) {   return inputSQL.Replace("'", "''"); } 

The problem with routines such as this and the reason why you should not rely on them completely is that an attacker could use ASCII hexadecimal characters to bypass your checks. You should, however, filter input as part of your defense in depth strategy.

Using LIKE Clauses

Note that if you are using a LIKE clause, wildcard characters still need escape characters. The following code fragment illustrates this technique:

 s = s.Replace("[", "[[]"); s = s.Replace("%", "[%]"); s = s.Replace("_", "[_]");