Wrox Home  
Search P2P Archive for: Go
Shopping CartView Cart  |  My Account  |  Support
Home Browse Titles

P2P Archives
 

Archive Index
Back to Active P2P Forum

 


Wrox Chapters on Demand - Download the chapters you need and take them on the go!
Wrox First - Instant Access online to new Wrox books

New Titles for ASP.NET

Cover image for product 0470379308
Professional ASP.NET 3.5 Security, Membership, and Role Management with C# and VB
Cover image for product 047041569X
LINQ-ifying TheBeerHouse: An N-Tier LINQ Web Application with ASP.NET 2.0 Website Programming Problem Design Solution
Wrox Blox
  Return to Index  

ado_dotnet thread: avoid sql injection

Message #1 by "DT-Rene Vazquez" <renevazquez@c...> on Mon, 10 Mar 2003 11:31:46 -0500
Hi, could someone give some advices in how to effectively avoid sql
injection?
Message #2 by "David Adams" <davidadams00@h...> on Mon, 10 Mar 2003 17:40:48 -0500
Just a few suggestions that I can think of on an immediate note:

1) Have all of you activity with your database in the form of stored
procedures (aka. No in-line SQL statements).  If you mandate all 
interface
with your database as stored procedure, then you can go a long way 
toward
protecting yourself & your system. 
2) Parse your commands to the database through a function that replaces
reserved words & characters (SELECT, INSERT, UPDATE, CREATE, DROP, ";", 
as
well as terminators (single quotes)) with other words or characters that
invalidate the "injected" sql.
3) general database administration tasks (like simply degrading rights 
to
known accounts [sql server: sa|<blank password>or sa, oracle: 
scott|tiger]
and managing rights on system tables & objects) is a simple, but often
missed security item.

The .NET ADO.NET training video on the MSDN site shows a very simple SQL
injection attack and how it might be carried out. 

David

-----Original Message-----
From: DT-Rene Vazquez [mailto:renevazquez@c...]
Sent: Monday, March 10, 2003 11:32 AM
To: ADO.NET
Subject: [ado_dotnet] avoid sql injection

Hi, could someone give some advices in how to effectively avoid sql
injection?

=3D=3D=3D
Fast Track ADO.NET with C# is a concise introduction to the concepts,
techniques, and libraries that you will need in order to start using 
ADO.NET
in your applications. The book covers DataSets and Typed DataSets, 
accessing
data using DataReaders and DataAdaptors, the close relationship between
ADO.NET and XML, how and where to use ADO.NET in your enterprise
applications, and how to use Web Services and ADO.NET to easily pass 
data
between applications.
http://www.wrox.com/books/1861007604.htm
Message #3 by "Kingsly, John" <john.kingsly@d...> on Tue, 11 Mar 2003 10:07:55 +0530
This would be helpful for u

http://www.sqlsecurity.com/DesktopDefault.aspx?tabindex=2&tabid=3


cheers
Kings

-----Original Message-----
From: DT-Rene Vazquez [mailto:renevazquez@c...]
Sent: Monday, March 10, 2003 10:02 PM
To: ADO.NET
Subject: [ado_dotnet] avoid sql injection


Hi, could someone give some advices in how to effectively avoid sql
injection?

===
Fast Track ADO.NET with C# is a concise introduction to the concepts,
techniques, and libraries that you will need in order to start using ADO.NET
in your applications. The book covers DataSets and Typed DataSets, accessing
data using DataReaders and DataAdaptors, the close relationship between
ADO.NET and XML, how and where to use ADO.NET in your enterprise
applications, and how to use Web Services and ADO.NET to easily pass data
between applications.
http://www.wrox.com/books/1861007604.htm

  Return to Index  
About Wrox  |  Contact Us  |  Subscribe to an RSS Feed of New Wrox Titles
Copyright © 2000-2004 by John Wiley & Sons, Inc. or related companies. All rights reserved. Please read our Privacy Policy