SQL Injection Defense

Comment Posted by Hornwood509

Fri, 30 Oct 2009 11:22:31 GMT

Thanks Joe!

Knew Injection attacks were supposed to be easy, but THIS easy?!?!

Comment Posted by mhpc911

Sun, 01 Nov 2009 13:18:01 GMT

Thank you Joe. I appreciate the information very much. Keep up the good work.

Comment Posted by arlen_bs

Mon, 02 Nov 2009 03:51:50 GMT

thxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

it's gr8888888888888888888888888888888888888888888888888888

Comment Posted by haithemara

Wed, 04 Nov 2009 21:16:35 GMT

good video Joe.

Comment Posted by grettir

Wed, 04 Nov 2009 22:35:12 GMT

Thanks Joe, good video.

Parametrization of the sql queries is a popular way to reduce threat of sql injections. Sometimes RegEx functions are used along with it to fortify the defence.

Comment Posted by cruncher06

Thu, 05 Nov 2009 20:00:28 GMT

Excellent information Joe; I have wanted more information in how to protect my site against security threats. Looking forward to the sample code as well as more security videos.

Thanks.

Comment Posted by geoffHome

Mon, 09 Nov 2009 05:15:35 GMT

Excellent video. So glad I'm moving to LINQ!

Comment Posted by ramaraju_r

Mon, 09 Nov 2009 18:59:18 GMT

Thanks!! it's very helpful. where can I get the source code?

Comment Posted by villamouri

Thu, 12 Nov 2009 10:27:51 GMT

Good tips, thanks.

However,it is my understanding that putting all input box text through

string.replace("'","''") will stop every type of sql attack on MS Sql server. This stops all attempts to terminate the quotes and input any extra commands.

If this is not the case, can anyone give me an example where it would not work? I would like to know if there are any examples, as this method is what I have used for years.

Comment Posted by prashant_victory@hotmail.com

Sat, 12 Dec 2009 12:53:48 GMT

where I can get code of this video (in c#) ???

Comment Posted by gromikov

Mon, 15 Mar 2010 13:54:13 GMT

Excellent guide. Already moving to LINQ!

Comment Posted by jpete17

Mon, 15 Mar 2010 20:32:53 GMT

source code? Great video

Comment Posted by hab0373

Mon, 29 Mar 2010 16:03:07 GMT

With LINQ there is no SQL Injection Vulnerability?, So I dont have to write stored procedures?

Can You Confirm this??

Comment Posted by iamshotgun

Sat, 03 Apr 2010 21:04:44 GMT

...always use parameters or pack it with stored procedures...

Comment Posted by iamshotgun

Sat, 03 Apr 2010 21:06:42 GMT

...i didnt know this page refreshes after SUBMIT iwas halfway through the video and boooom video starts in beginning...arrrgghh...

Comment Posted by jrbarnett

Sun, 11 Apr 2010 16:06:33 GMT

For a future edition - best practise dictates your application stores any user login credentials (including but not limited to passwords, memorable information/password recovery tools) in an encrypted form. The easiest way is to use the HASHBYTES sql server function in 2005/2008 when running insert or update operations against it, and compare against the same algorithm; this way if an attacker is able to select the password field from a table they don't get the ability to login to your app as an end user.

Rule of thumb: if your app has a "Tell me what my password is" function, then it needs to be rewritten as a "Reset forgotten password" - in a well written app, even the system administrator/DBA should not have access to clear text credentials.

Comment Posted by nirman.doshi

Wed, 02 Jun 2010 05:50:36 GMT

Complete explanation of SQL Injection.. and quite elaborated examples. By looking at this ppl would come to about all different potential SQL injection attacks, and the ways to protect applications against them. Thanks for sharing..

Comment Posted by tugberk_ugurlu_

Mon, 14 Jun 2010 06:52:13 GMT

Stored Procedure are perfect against those injections !

Comment Posted by pat2099

Fri, 09 Jul 2010 18:37:44 GMT

Joe,

Great job! Where is the Source Code?

Comment Posted by maximus392

Tue, 13 Jul 2010 07:57:32 GMT

great video.. Very informative stuff..

Comment Posted by DaveCS

Thu, 29 Jul 2010 12:24:44 GMT

Great video. I have know about this for many years but must note to newer users that some 'instant asp website' type software available for purchase uses the very dangerous string building SQL statments.

There was one company that overlooked the SQL injection issue and all of the classic asp and asp.net automated database input code was open to vulnerabilities for many years until the application was finally patched. Microsoft IDE products are safe if you use these guidelines but I would be vary wary of auto-code generators. The SQL statements generated by these tools should be scrutinized with vigor.

I am not going to name any of these products but quick google search of "asp.net code generator" will provide a lengthy list. Please inspect and verify that your SQL statements are safe if you decide to use one of these products.

I myself have been caught off guard with one of these products a few years ago by not being diligent in regard to outputted code.

Comment Posted by FabinhoBR

Mon, 02 Aug 2010 15:30:27 GMT

hey joe,

nice video. thanks a lot!

Comment Posted by practicalguy

Mon, 23 Aug 2010 18:30:12 GMT

villamouri : On November 12, 2009 10:27 AM said:

Good tips, thanks.

However,it is my understanding that putting all input box text through

string.replace("'","''") will stop every type of sql attack on MS Sql server. This stops all attempts to terminate the quotes and input any extra commands.

If this is not the case, can anyone give me an example where it would not work? I would like to know if there are any examples, as this method is what I have used for years.

----------

Yes, I have also used this method for years. If you are using Microsoft products for the front end also remove the escape character like this:

string.replace("\","")

Comment Posted by capedcoder

Wed, 22 Sep 2010 09:25:53 GMT

practicalguy:

I concur. I've been using the "replace" method since my first SQL development in the 90s. I'd like to say it is because I'm a security guru, but it's not. My first application required lookup by name and there are many names (O'Brien for example) that would error in my initial testing. When resolving that problem, the potential for this type of attack was readily apparent. I have always coded to text values and always used the replace function.... name matter the type of input. I also have each input restricted as to character length and, in some cases, numeric or alpha.

Comment Posted by D J

Fri, 22 Oct 2010 06:10:22 GMT

Hey joe,

Nice one its good enough.

hey Capedcoder,

Nice reply for replace problem.