Preventing SQL injection attacks using C#.NET

**CWA** · 02-02-2010 02:26 PM

What is a SQL injection attack?

Have any of your websites ever been a victim of a SQL injection attack? Well, one of my sites recently was so unfortunate and a lot of data was deleted from the database (Hooray for regular backups

). So, I looked around for a couple of solutions on how to prevent this, and wrote the function below which you can call in C#.NET to remove harmful code from any value passed to the database.

Example:
Note how the single brackets are used on both sides of the SafeSqlLiteral function:
‘” & SafeSqlLiteral(txtInput.Text, 2) & ”’

Code:

strQuery = “SELECT * FROM tablename WHERE name = ‘” & SafeSqlLiteral(txtInput.Text, 2) & ”’”;

Namespaces imported

Code:

<%@ import Namespace="System" %>
<%@ import Namespace="System.Text.RegularExpressions" %>

And the function to call

Code:

public string SafeSqlLiteral(System.Object theValue, System.Object theLevel){

    // Written by user CWA, CoolWebAwards.com Forums. 2 February 2010
    // http://forum.coolwebawards.com/threads/12-Preventing-SQL-injection-attacks-using-C-NET
    
    // intLevel represent how thorough the value will be checked for dangerous code
    // intLevel (1) - Do just the basic. This level will already counter most of the SQL injection attacks
    // intLevel (2) -   (non breaking space) will be added to most words used in SQL queries to prevent unauthorized access to the database. Safe to be printed back into HTML code. Don't use for usernames or passwords
    
    string strValue = (string)theValue;
    int intLevel = (int)theLevel;
    
    if (strValue != null) {
        if (intLevel > 0) {
            strValue = strValue.Replace("'", "''"); // Most important one! This line alone can prevent most injection attacks
            strValue = strValue.Replace("--", "");
            strValue = strValue.Replace("[", "[[]");
            strValue = strValue.Replace("%", "[%]");
        }
        if (intLevel > 1) {
            string[] myArray = new string[] { "xp_ ","update ","insert ","select ","drop ","alter ","create ","rename ","delete ","replace "};
            int i = 0;
            int i2 = 0;
            int intLenghtLeft = 0;
            for (i = 0; i < myArray.Length; i++){
                string strWord = myArray[i];
                Regex rx = new Regex(strWord, RegexOptions.Compiled | RegexOptions.IgnoreCase);
                MatchCollection matches = rx.Matches(strValue);
                i2 = 0;
                foreach (Match match in matches) {
                    GroupCollection groups = match.Groups;
                    intLenghtLeft = groups[0].Index + myArray[i].Length + i2;
                    strValue = strValue.Substring(0, intLenghtLeft - 1) + "&nbsp;" + strValue.Substring(strValue.Length - (strValue.Length - intLenghtLeft), strValue.Length - intLenghtLeft);
                    i2 += 5;
                }
            }
        } 
        return strValue;
    }
    else {
        return strValue;
    }
}

**k4reem** · 08-02-2010 08:46 PM

Many thanks CWA, very useful to use

i ve added:
strValue = strValue.Replace(" OR ", "");
strValue = strValue.Replace(" AND ", "");

to level 1, to prevent things like "OR 1=1"

**CWA** · 08-03-2010 03:55 PM

Np! And thank you for the addition to this code

Thread: Preventing SQL injection attacks using C#.NET

Thread Tools

Display

Preventing SQL injection attacks using C#.NET

Very useful

Tags for this Thread

Posting Permissions