Regular Expressions for SQL Protection 1

iaresean · Jun 7, 2006

Hi All;

I am writting regular expressions to check user input for SQL safety (e.g. invalid chars, SQL injection etc).

What would you say are the most dangerous characters that I should be checking against?

e.g. ' > < etc...

Thank you!

Sean. [peace]

ca8msm · Jun 7, 2006

Is that really necessary? If you are using Parameters to add the variables, it won't matter abouyt SQL Injection.

____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

iaresean · Jun 7, 2006

Hi ca8msm;

When you say parameters, are you referencing Stored Procedure paramaters? I am not using stored procedures for the project at hand.

Thanks;

Sean. [peace]

ca8msm · Jun 7, 2006

No, it doesn't have to be an SP. When you create a Command object, you can use the Parameters.Add method to add paramters to your SQL Statement.

____________________________________________________________

Need help finding an answer?

Try the Search Facility or read FAQ222-2244 on how to get better results.

iaresean · Jun 7, 2006

Ok, sounds promising. I will definitely look into that.

But for arguments sake, say I weren't to use it. What are the most dangerous characters in your experience?

Sorry for being so stubborn.

Regards;

Sean. [peace]

chrissie1 · Jun 7, 2006

the most lethal is ;
then '
and then all the rest.

Dates can also be difficult if you aren't using parameters.

Christiaan Baes
Belgium

"My new site" - Me

chrissie1 · Jun 7, 2006

And I forgot the numeric values. Some use decimal points and others don't.

Christiaan Baes
Belgium

"My new site" - Me

vbkris · Jun 7, 2006

dont forget, injection necessarily need not be of the SQL injection type. users can also try to inject HTML into ur text. .NET has an inbuilt protecting mechanism for this. but if that has been disabled then somebody could as well as do this:
<script>window.close()</script>

and in the page that tries to display this the script will execute.

suggestion:
either validate the fields where u collect the data

OR

Do a HtmlEncode on ALL the fields where no such validations have been done...

Known is handfull, Unknown is worldfull

Guru7777 · Jun 7, 2006

You wouldn't want to allow -- either. It is a key component of many sql injection attacks.

But, there really is no reason not to use parameters.

----------------------------------------

TWljcm8kb2Z0J3MgIzEgRmFuIQ==

pharcyder · Jun 8, 2006

I found this article about SQL Injection really helpful.

iaresean · Jun 8, 2006

Wow, Thanks for all the responses guys.

I will definitely look into all of the above!

Much appreciated;

Sean. [peace]

KornGeek · Nov 30, 2006

pharcyder,

Thanks for the link. I'm brand-spankin' new to ASP, and fairly new to html still. I'd never even heard of SQL Injection until today. Thanks for the good info.

BoulderBum · Dec 1, 2006

Actually if you look at the problem from the standpoint of what to restrict you're probably going to miss something. You should instead look at it from the standpoint of what to allow.

That said, parameterized queries, as mentioned, are the key to guarding against attack in the input (though you can misuse parameters to let malicious input through). You don't want to rely on string replacement because it's not a true solution.

Good reading:

http://www.microsoft.com/mspress/books/5957.aspx

Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Regular Expressions for SQL Protection 1

iaresean

Programmer

ca8msm

Programmer

iaresean

Programmer

ca8msm

Programmer

iaresean

Programmer

chrissie1

Programmer

chrissie1

Programmer

vbkris

Programmer

Guru7777

Programmer

pharcyder

Programmer

iaresean

Programmer

KornGeek

Programmer

BoulderBum

Programmer

Similar threads

Part and Inventory Search

Sponsor