Summary

In this chapter, you’ve learned about a number of attacks and how they can be inflicted upon a Visual Basic .NET application. For example, you’ve learned that a user name, if unchecked for length and content, could lead to an SQL or HTML script-injection attack, depending on whether you use the user name as part of an SQL query or HTML string.

Taking straightforward measures, such as validating the content of a string to ensure it doesn’t contain unexpected characters, can go a long way to preventing an attack. In addition, data needs to be checked at the point in your code where it can be used to do damage. For example, the most critical place to check the input to an SQL string is immediately before the SQL statement is executed. If the data checks happen at other points in the application, as do surface-level user-interface (UI) checks, the application might have a more appealing user-interface, but it could be compromised by an attacker who side- steps the UI by calling into your application by other means.

A common ingredient to most of these attacks is user input. You’ve seen a number of cases presented in this chapter where user input, if not tested, could leave your application vulnerable to attack. Because attacks are primarily carried out by means of input to your application, the next chapter is dedicated to the topic of input, including sources of input you need to check and the Visual Basic .NET tools available for validating input.