Wednesday, April 20, 2011

Prevent Sql Injection in ASP.Net

A successful SQL injection attack enables a malicious user to execute commands in your application's database by using the privileges granted to your application's login. The problem is more severe if your application uses an over-privileged account to connect to the database. For example, if your application's login has privileges to eliminate a database, then without adequate safeguards, an attacker might be able to perform this operation.
Common vulnerabilities that make your data access code susceptible to SQL injection attacks include:
    * Weak input validation.
    * Dynamic construction of SQL statements without the use of type-safe parameters.
    * Use of over-privileged database logins.
To prevent the sql injection please copy and paste the following code into your app_code folder.And add a handler into your web.config files as follows-

    <add name="ScriptModule" type="System.Web.Handlers.ScriptModule, System.Web.Extensions, Version=,  Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>      
    <add name="InjectFilter" type="Inject.InjectFilter"/>

and put the fololowing code into a class.
And your code is ready to use no external function or code to validate each input ot whatever you can use this in any new website or even old sites without making too much changes.

Happy Coding!!!!!!!!!!!!!!

 In C#
using System;
using System.Data;
using System.Configuration;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
using Microsoft.VisualBasic;
using System.Collections;
using System.Collections.Generic;
using System.Diagnostics;
namespace Inject
    public class InjectFilter : IHttpModule
        //Defines the set of characters that will be checked.
        //You can add to this list, or remove items from this list, as appropriate for your site
        public static string[] blackList = {
        ";--",  "/*", "*/", "@@","/script","xp_", "b.js", " char "," nchar "," varchar ", " nvarchar ", " alter ",
        "cast(",   " declare ",   "delete from",   "drop table",   "exec(",  "execute ",   "insert into",  "sysobjects ",
        "syscolumns ",  " update ", "<script>"
        public void Dispose()
        //Tells ASP.NET that there is code to run during BeginRequest
        public void Init(HttpApplication app)
            app.BeginRequest += app_BeginRequest;
        //For each incoming request, check the query-string, form and cookie values for suspicious values.
        private void app_BeginRequest(object sender, EventArgs e)
            HttpRequest Request = (sender as HttpApplication).Context.Request;
            foreach (string key in Request.QueryString)
            foreach (string key in Request.Form)
            foreach (string key in Request.Cookies)
        //The utility method that performs the blacklist comparisons
        //You can change the error handling, and error redirect location to whatever makes sense for your site.
        private void CheckInput(string parameter)
            for (int i = 0; i <= blackList.Length - 1; i++)
                if ((parameter.IndexOf(blackList[i], StringComparison.OrdinalIgnoreCase) >= 0))
                    //Handle the discovery of suspicious Sql characters here
                    //generic error page on your site                  

                    if (HttpContext.Current.Request.RawUrl.ToLower().IndexOf("/admin") < 0 && HttpContext.Current.Request.RawUrl.ToLower().IndexOf("/merchant") < 0 && HttpContext.Current.Request.RawUrl.ToLower().IndexOf("/cutesoft_client")<0)

No comments:

Post a Comment