SQL injection solution

Question

1.00/5 (1 vote)

See more:

Hello everybody.
Who can explain me how to generally improve my coding against SQL injection and hackers.It means how to design a secure website or windows application that is isolated from SQL injection hackers?
for example i insert a function behind the log in form that remove dangerous characters from username and password.

C#

static public string MakeSafeData(string Unsafe_String)
    {
        string Safe_String = null;
        string[] Valid_Chars = new string[36] { 
                     "0", "1", "2", "3", "4", "5", "6", "7", "8", "9",
                     "a", "b", "c", "d", "e", "f", "g", "h", "i", "j", 
                     "k", "l", "m", "n", "o", "p", "q", "r", "s", "t",
                     "u", "v", "w", "x", "y", "z" };

        //remove Unsafe Characters
        for (int c = 0; c < Unsafe_String.Length; c++)
        {
            foreach (string s in Valid_Chars)
            {
                if (Unsafe_String[c].ToString() == s || 
                    Unsafe_String[c].ToString() == s.ToUpper())
                {
                    Safe_String += Unsafe_String[c];
                }
            }
        }

        return Safe_String;
    }

Posted 1-Jul-12 3:02am

Abolfazl Beigi

Add a Solution

Comments

Sergey Alexandrovich Kryukov 1-Jul-12 16:39pm

This code sample is not related to SQL.
--SA

Abolfazl Beigi 1-Jul-12 16:43pm

Yes your are right but this a preparation for SQL query.
and my question generally is about SQL Injection.

4 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Pankaj Nikam · Accepted Answer · 2012-07-01T03:31:00

Solution 1

In one line, to avoid SQL Injectioning use SqlParameter in queries. For a demo, you can check out the following video[^] it also has a sample source to download which you can have a look at.

Posted 1-Jul-12 3:31am

Pankaj Nikam

Comments

Abolfazl Beigi 1-Jul-12 10:40am

Thanks a lot for your very nice video link.

Pankaj Nikam 1-Jul-12 12:09pm

:) you are welcome Ni8max!

DamithSL · Accepted Answer · 2012-07-01T03:33:00

Solution 2

Prevent SQL Injection use always SqlParameter instead of string validations like above.

check below QnA related to above, all answers suggesting to use sqlparameters
http://stackoverflow.com/questions/2329499/regex-for-detecting-sql-injections-in-winforms[^]
http://stackoverflow.com/questions/5495753/do-sql-injection-works-in-winforms[^]

Posted 1-Jul-12 3:33am

DamithSL

Updated 1-Jul-12 3:36am

v2

Comments

Abolfazl Beigi 1-Jul-12 10:39am

Thank you for your helpfully guide.

OriginalGriff · Accepted Answer · 2012-07-01T03:42:00

The best way is: never concatenate strings to form SQL queries. If you always use parametrised queries, then you leave nothing open to SQL Injection attack, and you don't have to change any characters.

Having said that, the way you are doing things is very inefficient:
1) Use a StringBuilder instead of a string to assemble strings from parts. Strings are immutable: they cannot be changed after they are constructed, so each time you add a character you generate a new string a character longer than it was and copy the data over. This is a very, very inefficient way to do it!
2) You don't need local data for your comparison array - use a class level static instead, and it is constructed once, instead of each time the method is called.
3) If you use a List instead of an array, it has a Contains method!
4) If you use char instead of string for your comparison anyway, you don't need to waset time with unecesary ToString calls:

C#

private static char[] Valid_Chars = new char[] {
              '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
              'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j',
              'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't',
              'u', 'v', 'w', 'x', 'y', 'z' };
 private static List<char> valid = new List<char>(Valid_Chars);

 static public string MakeSafeData(string Unsafe_String)
     {
     StringBuilder sb = new StringBuilder();
     foreach (char c in Unsafe_String)
         {
         if (valid.Contains(c) || valid.Contains(char.ToLower(c)))
             {
             sb.Append(c);
             }
         }
     return sb.ToString();
     }

[edit]Should have been ToLower not ToUpper to match characters in compare list - OriginalGriff[/edit]

Muthu Nadar · Accepted Answer · 2012-07-01T18:46:00

Solution 4

Parametrized query will help you overcome sql injection.

http://blogs.msdn.com/b/sqlphp/archive/2008/09/30/how-and-why-to-use-parameterized-queries.aspx[^]

Posted 1-Jul-12 18:46pm

Muthu Nadar

Updated 1-Jul-12 23:26pm

v2

Comments

Abolfazl Beigi 2-Jul-12 10:42am

Thank you very much.

SQL injection solution

4 solutions

Solution 1

Solution 2

Solution 3

Solution 4

Add your solution here

Preview 0

Existing Members

...or Join us