ASP.NET 3.5 data object security

  • This probably ties into this other thread that I started a while back.

    I'm becoming re-acquainted with ASP.NET, and developed an app in VS2008. In doing so, I've discovered the (relatively) new data objects (SQLDataSource, GridView, etc.) that come with .NET 2.0 and later.

    Right now, as I'm learning this, I'm embedding my SQL code (old habit, sorry folks), but as I get better, I plan to use SPs.

    Anyway . . . right now, I'm addressing security issues in my code. I wrote a line of code to simulate an injection attack, and am using it to test my app.

    My initial question: how worried should I be with security when using .NET 3.5 data objects with SQL?

    (Yes, I realize most of you are DBAs, but I figure some of you might have experience with this.)

    +--------------------------------------------------------------------------------------+
    Check out my blog at https://pianorayk.wordpress.com/

  • Ray K (1/28/2010)


    My initial question: how worried should I be with security when using .NET 3.5 data objects with SQL?

    I probably should get a little more specific. Here's what's prompting my question.

    I set up SQL commands (SelectCommand, UpdateCommand, etc.) in my SQLDataSource object. These object commands make use of parameters (example: "update [sometable] set Data1 = @Data1", Data1 is definited as a parameter).

    I guess what I want to know is, how secure are these?

    +--------------------------------------------------------------------------------------+
    Check out my blog at https://pianorayk.wordpress.com/

  • Ray K (1/28/2010)


    Ray K (1/28/2010)


    My initial question: how worried should I be with security when using .NET 3.5 data objects with SQL?

    I probably should get a little more specific. Here's what's prompting my question.

    I set up SQL commands (SelectCommand, UpdateCommand, etc.) in my SQLDataSource object. These object commands make use of parameters (example: "update [sometable] set Data1 = @Data1", Data1 is definited as a parameter).

    I guess what I want to know is, how secure are these?

    In Asp.net a query using parameter is better than code without parameters. The Asp.net 3.5 compiles to 2.0 so check the link below for some guidelines posted a while back by Scott.

    http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

    Kind regards,
    Gift Peddie

Viewing 3 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic. Login to reply