|
|
|
|
|
|
|
Total page views :
7587
|
|
Total downloads :
|
|
|
Similar ArticlesMost ReadTop RatedLatest
|
|
|
|
|
This article gives a sound idea how to write secure code for ADO.NET. Data Access Layer (DAL) is a common and very curtail for your application. Its very important know some of the basic security points while writing ADO.NET program.
- One of the key point of security is "never ever trust on user inputs". You must validate the user's data properly before process. The hacker always tries to crash your application through malicious inputs (especially dynamic SQL statements). As a developer you must take care of all vulnerable inputs pass through SQL statements for example lets says you are trying to search customer details by taking the customer name as input and you are build a dynamic SQL to fetch the details from SQL Server, if you do not validate the user's input and directly process can cause a heavy damage to your application assume the user (smart user) pass the customer name as "1;DROP TABLE Cust". The code snippet will be as below:
string strQuery = "SELECT * from Cust WHERE custName="+txtCustName.Text;
SqlCommand cmd = new SqlCommand( strQuery, conn);
conn.Open();
SqlDataReader myReader = cmd.ExecuteReader();
myReader.Close();
conn.Close();
The solution to the above problem is validate such vulnerable before execute the query.
- The next point is parameterize store procedures. This is a convenient way to safeguard your application against SQL injection attacks, make sure your stored procedures or methods accept only values not the SQL statements and also recommend to validate the user inputs as explained in above point before execute.
- Use Regex to validate user input for a particular format (pattern) the other way it helps quickly parse large amount of text to find specific character patterns, also help to edit or replace or delete text substring. For example to validate the input value should have 5 character alphanumeric string.
public void CheckString(string inputValue)
{
Regex rg = new Regex("^[A-Za-z0-9]{5}$");
return rg.IsMatch(inputValue)
}
- One of the way a hacker can reach your database or data source through system generated exception. The most keep point for everyone is do not display complete system exception information to the user, display only required exception information to client, suggest to implement exception wrapping or replace to display custom exception by hiding the actual database exception. To know more about exception management click here.
- The other key point is never ever try to connect to database through user name and password in plain text it is a serious vulnerable i.e if the user name and password is a part of your source code that can be exploited by disassemble the IL code. This is the big plus point for the hacker to play with your application .When connecting to Microsoft SQL Server it is highly recommended to use Integrated Security, which uses the identity of the current active user rather than passing a user name and password. Do not forget to set Persist Security Info to true or yes this allow security sensitive information including the user name and password to be obtained from the connection after the connection has been opened.
These are the some of the basic security points every body should keep in mind while working with ADO.NET or database.
|
|
|
Login
to add your contents and source code to this article
|
|
|
|
|
|
|
|
|
|
Anand Kumar
I am having 3 yrs of experience on .NET environment .My core expertise is developing robust service components using ATL COM ,Remoting and Web Service and very much passionate about Microsoft Patterns and Practices and .NET performance . Apart from my regular work I am actively participating various Microsoft User Groups and sharing my knowledge and articles.
|
|
|
|
|
|
|
|
|
C# Consulting is founded in 2002 by the founders of C# Corner. Unlike a traditional
consulting company, our consultants are well-known experts in .NET and many of them
are MVPs, authors, and trainers. We specialize in Microsoft .NET development and
utilize Agile Development and Extreme Programming practices to provide fast pace
quick turnaround results. Our software development model is a mix of Agile Development,
traditional SDLC, and Waterfall models.
|
|
Click here to learn more about C# Consulting. |
|
|
|
|
|
|
|
Introducing MaxV - one click. infinite control. Hyper-V Hosting from MaximumASP.
Finally – a virtual platform that delivers next-generation Windows Server 2008 Hyper-V virtualization technology from a managed hosting partner you can truly depend on. Visit www.maximumasp.com/max for a FREE 30 day trial. Hurry offer ends soon.
Climb aboard the MaxV platform and take advantage of High Availability, Intelligent Monitoring, Recurrent Backups, and Scalability – with no hassle or hidden fees.
As a managed hosting partner focused solely on Microsoft technologies since 2000, MaximumASP is uniquely qualified to provide the superior support that our business is built on. Unparalleled expertise with Microsoft technologies lead to working directly with Microsoft as first to offer IIS 7 and SQL 2008 betas in a hosted environment; partnering in the Go Live Program for Hyper-V; and product co-launches built on WS 2008 with Hyper-V technology.
|
Dynamic PDF
ceTE software specializes in components for dynamic PDF generation and manipulation. The DynamicPDF™ product line allows you to dynamically generate PDF documents, merge PDF documents and new content to existing PDF documents from within your applications.
|
Go.NET
Build custom interactive diagrams, network, workflow editors, flowcharts, or software design tools. Includes many predefined kinds of nodes, links, and basic shapes. Supports layers, scrolling, zooming, selection, drag-and-drop, clipboard, in-place editing, tooltips, grids, printing, overview window, palette. 100% implemented in C# as a managed .NET Control. Document/View/Tool architecture with many properties&events. Optional automatic layout.
|
Dundas Software
Dundas Chart for .NET is the most advanced .NET charting package available today. With an extremely complete feature set, elegant architecture and easy implementation, Dundas Chart can quickly add advanced Charting functionality to enhance and transform ASP.NET and Windows Forms applications. Whether you are implementing charting into internal projects, or building applications for clients, Dundas Chart offers advanced technology and advanced results to get the most out of data.
|
Clickatell's SMS Gateway
Clickatell's Developer Solutions allow you to SMS enable any website or
application via a range of API's. Learn More about our API connections.
|
Nevron Chart for .NET 2010.1 Now Available
The leading .NET charting control now features PDF, Flash and Silverlight export, visualization of large datasets and more. Deliver true charting functionality to your BI, Scorecard, Presentation or Scientific apps. Download evaluation now.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|