.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

how to avoid sql injection??

Posted By:      Posted Date: October 06, 2010    Points: 0   Category :Sql Server

I want to know how to avoid sql injection in asp.net webforms??

if something is there like (select empid from emp where empid=textbox1.text) here the attacker can easily attack on the database,then how to write this same code to maintain security should we use query strings?? help me with this,thanks.

View Complete Post

More Related Resource Links

SQL Injection Walkthrough / Tutorial

SQL Injection is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else.

Top .NET Performance Problems and how to avoid them

Every time I work with one of our .NET customers to help them with managing their application performance I come across the same problems as seen with other clients before: lots of ADO.NET queries, many hidden exceptions in core or 3rd party .NET libraries, slow 3rd party components, inefficient custom code

How to detect and avoid memory and resources leaks in .NET application

Despite what a lot of people believe, it's easy to introduce memory and resources leaks in .NET applications. The Garbage Collector, or GC for close friends, is not a magician who would completely relieve you from taking care of your memory and resources consumption.

I'll explain in this article why memory leaks exist in .NET and how to avoid them. Don't worry, I won't focus here on the inner workings of the garbage collector and other advanced characteristics of memory and resources management in .NET.

Test Run: Fault Injection Testing with TestApi


Fault injection testing is the process of deliberately inserting an error into an application to determine whether it deals with the error properly. We'll explain how you can introduce faults into .NET applications at run time using the Managed Code Fault Injection APIs of the TestApi library

James McCaffrey

MSDN Magazine August 2010

Inside Microsoft patterns & practices: Dependency Injection in Libraries


This article discusses how to write a library or framework that uses the Dependency Injection pattern and how the change in focus affects the usage of the pattern.

Chris Tavares

MSDN Magazine November 2009

Entity Framework: Anti-Patterns To Avoid In N-Tier Applications


Danny Simmons explores some anti-patterns you should look out for when building n-tier applications with the Entity Framework.

Daniel Simmons

MSDN Magazine June 2009

PIAB And WCF: Integrating the Policy Injection Application Block with WCF Services


Using the PIAB you can enhance WCF services with policies such as validation, performance monitoring, authorization and caching without having to change a line of code.

Hugh Ang and David San Filippo

MSDN Magazine February 2008

SQL Security: New SQL Truncation Attacks And How To Avoid Them


Exploits using SQL injection have drawn a lot of attention for their ability to get through firewalls and intrusion detection systems to compromise your data layers. Whether it's a first-order or second-order injection, if you look at the basic code pattern, it is similar to any other injection issue where you use untrusted data in the construction of a statement.

Bala Neerumalla

MSDN Magazine November 2006

No More Hangs: Advanced Techniques To Avoid And Detect Deadlocks In .NET Apps


You can combat deadlock using a combination of disciplined locking practices which Joe Duffy aptly explains in this article.

Joe Duffy

MSDN Magazine April 2006

Design Patterns: Dependency Injection


Today there is a greater focus than ever on reusing existing components and wiring together disparate components to form a cohesive architecture. But this wiring can quickly become a daunting task because as application size and complexity increase, so do dependencies.

Griffin Caprio

MSDN Magazine September 2005

Data Security: Stop SQL Injection Attacks Before They Stop You


To execute a SQL injection attack, a hacker writes a Web page that captures text in a textbox to be used to execute a query against a database. The hacker enters a malformed SQL statement into the textbox that causes the back-end database to perform operations the owners did not intend it to perform, like making unauthorized updates. This article explains how you can protect against the all too common SQL injection attack in your own database. The steps covered include data validation, proper exception handing, and much more.

Paul Litwin

MSDN Magazine September 2004

Scale: Real-World Load Testing Tips to Avoid Bottlenecks When Your Web App Goes Live


Load testing should be part and parcel of every Web development effort, and it should be performed early in the process. However, if you think you can load test using your development environment, you're going to have some surprises when you go live. In this article, the authors outline the process of planning your load testing effort, considering which machines to use, how many users to simulate, which tools are right for you, and how to interpret your results.

Jeff Dunmall and Keith Clarke

MSDN Magazine January 2003

How do I avoid chunked encoding either in HttpListener or in SimpleWorkerRequest?



I am writing a simple web server that uses HttpListner (http.sys) as a listener and an output conduit, and a SimpleWorkerRequest to process ASP.NET requests. All works well, but when an application my server hosts outputs chunked response, ASP.NET calls SimpleWorkerRequest's SendResponseFromMemory() method and passes in data that is chunked-encoded. When I write the output to HttpListener's output stream, it gets chunk-encoded again, breaking the whole thing. So I ended up writing chunked decoder in the middle, which makes it inefficient because the response gets massaged three times instead of one:

  1. Chunked-encoded by ASP.NET HttpResponse, then
  2. Decoded by my code in the SimpleWorkerRequest.SendResponseFromMemory(), and
  3. Gets chunked-encoded again by writing to HttpListner's output stream.

My question is how do I tell either SimpleWorkerRequest or HttpListener not to chunk-encode the response so the encoding can be done only once by either of those? (Preferably, it's SimpleWorkerRequest that needs an option to pass the response to the web server without changing it so that HttpListener would encode all responses, whether the come from ASP.NET or not, for example from CGI request processor).

Thank you,

sql Injection



In a Text field whatever I will enter after less than "<" symbol will disappear.

 So I am just replacing this symbol with a space, please let me know if there is any other desired output we need here.




UserControl, CustomControl Design Time Support errors IOC, Dependency Injection, MVP

  Hi, is there a way to completely disable design time support for CustomControl, and UserControl ? I have about 30 UserControls and 10 CustomControls in my WinForms app, which contains some Dependency Injections and IOC stuff in constructors and Load handlers. I have lots of large UserControls containing smaller UserControls (CompositeView). All my UI code is pretty dynamic and the only thing i need to do at design time is to drag&drop containers in other containers (UserControls). And now i have a hard time doing this, because i have to wrap all constructors and Load Handlers in CurrentProccess!="devenv"... and when I'm Implementing some new View interface (which consist lots of properties) in UserControl all those properties by default throw NotImplementedException and i don't always need to implement them immediately but still i need to be able to run this code for testing. Besides, then i have to clean up designer generated class because it adds unnecessary null value property initializations, and then it way add some other ____ code, and so on.... Imagine UserControl with 10-15 nested UserControls, and then i try to open it in Form Designer and get ObjectReference NULL exception (for IOC) or some NotSupported NotImplemented exceptions (for properties) without adequate CallStack available! There is a CallStack but there is no trace in it to my Code (

How to avoid network problems while calling a webservice in a SQL CLR trigger?

Hi All, My Goal: DB synchronization between SQL server 2005 and Mysql database via web services. I have created a SQLCLR trigger, in which i'm calling a web service to sync/update remote (MYSQL) DB over a specific constraints. After getting the acknowledgment from web service i'm updating the sync flag to success (In SQL SERVER2005). If any network delay happens i am unable to know whether sync has done successfully or not. How to avoid network dependency here? Is there any reliable queuing mechanism available in sql server 2005 to eliminate dependency over network? I am looking any suitable service/approach in sql server 2005 that can take care of calling web services as asynchronously and update the status of sync flag irrespective of network. Thanks in advance if anyone provide the good approach as step by step in detail.

Injection attacks

How do we protect our site fomr SQL Injection attacks, among other security  practices?
ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend