asp.net - Check for SQL Keywords in C# -
if allow users type in textbox , perform search against db, there potential sql injection. use regex, thats first thought. had better idea. why not see if typed has sql keywords in it. im using sql server database, in asp.net program c#, thought microsoft have offered easy solution talking about. best can find in article:
is programmatic way sql keywords (reserved words)
which ill end doing, problem still have type out entire list of keywords, there around hundred. sure done instead of searching , asking question. isnt there easier way? right im going to:
1 create hashset 2 add keywords hashset (cmon) 3 validate user input against hashset
would love see step 2 made easier, other suggestions sql injections appreciated
if passing search text stored procedure , doing
where search @inputparam
sql not allow injection incur in above fragment.
however, if building string variable , using exec @sql or sp_execute @sql, vulnerable sql injection.
Comments
Post a Comment