Post reply

SQL Injection Black List?

  • March 29, 2011 at 10:13 am

    #233933

    I find links like this http://forums.asp.net/t/1254125.aspx which 'screen' for unacceptable words and characters in textboxes. I though it might be as simple as my code example below. Seems most attacks must at least include a semicolon(;). I added the -- and ' ' for added protection. I'm interested in what the experts here think 🙂

    [ASP .NET C# Codebehind]

    userName.Text = "; Delete Table Admin --";

    if (!Regex.IsMatch(userName.Text, ";|--|' '))

    {

    //use textbox text...

    }

  • March 29, 2011 at 10:22 am

    #1305006

    Easiest is to use sp or parameterized queries.

    I've had to take another path once in which case I made sure to double the apostrophes as well so they couldn't end mine.

Viewing 2 posts - 1 through 1 (of 1 total)

You must be logged in to reply to this topic. Login to reply