User Input Check Before Insert to Database

Question

I have a form in my MVC 5 Webb App, a very simple form for "contact us":

-Name

-Email

-Subject

-Message (body)

I have to check the strings that the user input.

How can I check it in .NET ?

Update:

As Darin suggested, a Parameterizing Queries will take care of that, but I have a problem with implementation it with my architecture design of my web application:

I have a Ado Helper Class:

public class AdoHelper
{
    static string connectionString = ConfigurationManager.ConnectionStrings["SQL_DB"].ConnectionString;


    public static DataTable ExecuteDataTable(string query)
    {

        using (SqlConnection con = new SqlConnection(connectionString))
        {
            con.Open();
            SqlCommand command = new SqlCommand(query, con);
            SqlDataAdapter tableAdapter = new SqlDataAdapter(command);
            DataTable dt = new DataTable();
            tableAdapter.Fill(dt);
            return dt;
        }
    }

    public static void ExecuteNonQuery(string query)
    {

        using (SqlConnection con = new SqlConnection(connectionString))
        {
            con.Open();
            SqlCommand command = new SqlCommand(query, con);

            command.ExecuteNonQuery();
        }
    }

    public static object ExecuteScalar(string query)
    {

        using (SqlConnection con = new SqlConnection(connectionString))
        {
            con.Open();
            SqlCommand command = new SqlCommand(query, con);
            return command.ExecuteScalar();
        }

    }

}

And I have Data Queries Class: ( I display here only the relevant function to this question)

     public class DataQueries
    {
        public static void InsertContactForm(ContactForm form)
        {
            try
            {
                string query = "INSERT INTO ContactForm (Name, Email, Subject, Message, Reply) VALUES ( '" + form.Name + "','" + form.Email + "','" + form.Subject + "','" + form.Message + "','" + form.Reply + "')";

                AdoHelper.ExecuteNonQuery(query);
            }
            catch (Exception ex)
            {
                throw ex;
            }
        }
}

When I want to insert data to my DB I call to a Data Queries function that communicate with the Ado Helper Class.

So the query pass to Ado Helper function as string well formed and ready to go, this creates a problem because I cant use parameters in the Ado Helper class (where I have SQL command instance).

Are there any workaround to this problem ?

Thanks.

Darin Dimitrov · Accepted Answer

Looks like your AdoHelper class is currently vulnerable to SQL injection. In order to avoid that you need to use parametrized queries. So I would start by refactoring this AdoHelper class so that it suits better those needs:

public class AdoHelper
{
    private static string connectionString = ConfigurationManager.ConnectionStrings["SQL_DB"].ConnectionString;

    public static int ExecuteNonQuery(string query, IDictionary parameters)
    {
        using (var con = new SqlConnection(connectionString))
        using (var command = con.CreateCommand())
        {
            con.Open();
            command.CommandText = query;
            foreach (var p in parameters)
            {
                command.Parameters.AddWithValue(p.Key, p.Value);
            }

            return command.ExecuteNonQuery();
        }
    }
}

and then you could call this method in order to perform the INSERT statement:

AdoHelper.ExecuteNonQuery(
    "INSERT INTO ContactForm (Name, Email, Subject, Message, Reply) VALUES (@Name, @Email, @Subject, @Message, @Reply)",
    new Dictionary
    {
        { "@Name", "form.Name" },
        { "@Email", "form.Email" },
        { "@Subject", "form.Subject" },
        { "@Message", "form.Message" },
        { "@Reply", "form.Reply" }
    }
);

User Input Check Before Insert to Database

Answers (2)

Related Questions