Sunday, March 25, 2012
Clean input before submitting to database
Is there some recommended way to clean input before submitting it to the database? We'd like to develop a library that can be used on our ASP/ASP.NET apps to filter input before it's sent to the SQL Server and Oracle databases. Is there a way to create a .NET DLL that can be used for both ASP.NET and classic ASP apps. Thanks.What's the meaning of "clean input before submitting it to the database"? Can you explain more? Where does the input locate? If you're talking about input for operations towards database, there seems no way to filter it, since the communication between databases and clients are based request packages. In this case I think it's better to implement this logic on database level, you can use some CONSTRAINTs,TRIGGERs, and so on to prevent 'bad' input to the databas.|||Sorry. Let me clarify. With "clean" I mean free from malicious code. In other words, I'd like to clean it so to prevent SQL injection attacks. I'm implementing the steps outlined in this article:http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh04.asp. Thanks.|||Use parameterized queries.sqlsql
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment