CODEWITHSUNDEEP
asp.netsqlsql-serverregex
user1989195
user1989195

Reputation: 457

Prevent the sql injection by using LINQ to SQL

I'm a new in the world of coding,

I built a large web site with several textboxes, so now i figure out that I've been using a dangerous method of inserting data in the SQL server by some thing like this:

 execSQL("insert into Dossier(ID_Dossier,Nom_Giac) values(" & id_dossier.text & "," Nom_gaic.text & "')")

     Public Function execSQL(ByVal req As String, Optional ByVal type As String = "r")
            cmd = New SqlCommand
            cmd.CommandText = req
            cmd.Connection = con
            openCon()
            If type = "r" Then
                Return cmd.ExecuteReader(CommandBehavior.CloseConnection)
            Else
                Return cmd.ExecuteNonQuery
            End If

        End Function

I just want to know if Using LINQ to SQL can help solve this problem in my entire web site. and to use it , i'm flowing this course :

http://www.upsizing.co.uk/Art34_IntergratingASPSecurity.aspx

Upvotes: 0

Views: 240

Answers (2)

James
James

Reputation: 82096

I just want to know if Using LINQ to SQL can help solve this problem in my entire web site.

Technically it will because internally it will deal with all the parameter sanatization your queries currently lack, however, that's not to say you can't solve your problem using the code you already have. All you need to do is update your queries to use SqlParameters e.g.

command.CommandText = "INSERT INTO Dossier(ID_Dossier,Nom_Giac) values(@id, @giac)"
command.Parameters.AddWithValue("@id" , id_dossier.Text))
command.Parameters.AddWithValue("@giac", Nom_giac.Text))

Upvotes: 5

Brian Mains
Brian Mains

Reputation: 50728

You don't need to use LINQ to SQL just for SQL injection. You can use what you've done and modify it to use parameters like:

execsql("insert into Dossier(ID_Dossier,Nom_Giac) values(@dossier, @nom", param1, param2)

These parameters need to be manually added to the command:

cmd = New SqlCommand
cmd.CommandText = req
cmd.Parameters.Add("ID_Dossier", <Type>).Value = dossier
cmd.Parameters.Add("Nom_Giac", <Type>).Value = nom

.
.

So your method accepts a ParamArray of parameters, and passes them to the command. Obviously, the solution needs to be more generic than what i provided, but hopefully this will get you started.

Upvotes: 1

Related Questions