Your code is vulnerable to SQL injection attacks wherever it uses input parameters
to construct SQL statements.
The following process helps you locate SQL injection vulnerabilities:
1. Look for code that accesses the database. Scan for the strings “SqlCommand,” “OleDbCommand,” or “OdbcCommand.”
2. Check that your code uses parameters in SQL statements.
If you do not use stored procedures, check that your code uses parameters in the
SQL statements it constructs, as shown in the following example:
select status from Users where UserName=@userName
Check that the following approach is not used, where the input is used directly to
construct the executable SQL statement using string concatenation:
String sql = "select status from Users where UserName='"+ txtUserName.Text + "'";
3. Check whether or not your code attempts to filter input.
A common approach is to develop filter routines to add escape characters to
characters that have special meaning to SQL. This is an unsafe approach, and you
should not rely on it because of character representation issues.
No comments:
Post a Comment