SQL Injection or Script Injection - MVC-5 - Is it a concern?

Asked

Viewed 448 times

1

I am developing an application in MVC-5 and read several articles about SQL Injection.

I wonder if I have to take any security measures or modify my selects commands, or if in fact the MVC-5 already has shielding against this situation.

Throughout my project I am using the format below to select data from my tables:

string query = "SELECT * FROM TABELA WHERE CHAVE = '"+CH+"'";
            using (var connection = new SqlConnection(ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString))
            using (var command = new SqlCommand(query, connection))
            {
                connection.Open();
                using (var reader = command.ExecuteReader())
  • 1

    This code has nothing of ASP.Net MVC. But it is totally susceptible to injection of anything. I think the question is very broad and would need more focus. If you use MVC correctly, if you use ADO.Net or EF or other access mechanism correctly, then you will not have SQL Injection problems. Script Injection depends on other factors. See if you find anything useful. http://answall.com/search?q=sql+injection But I would advise a more structured study on software development as a whole.

  • I believe that one way to prevent is by using stored procedures or Orms (with low performance compared to stored).

  • 1

    Storedprocedure?? Ado.net has had Feature for years of Addparameter that already solves this sql Injection problem.

2 answers

2

I think there’s a mix-up going on between the technologies.

ASP.NET MVC is a framework for WEB, as such it is capable of protecting against:

  • HTML Injection, when someone places HTML tags in a text field for example.
  • Injection script, when someone puts a script tag in a text field for example.

For these two, the validation is double, it does not let in this type of string, but if you force it to allow it will make HTML Encoding when showing on the screen to ensure that these tags appear in plain text and not HTML, making them unofficial.

It still has cross-scripting protection, using a Validationtoken.

All this has to do with a WEB interface, which is what MVC is.

Already SQL Injection, who can provide you with a ready-made security is the Entity Framework. It is very recommended to use it. It will sanitize any value before putting in a query. Even you no longer need to make querys, just use lambda Expressions.

Your example would be: var dado = db.Tabela.Where(x=> x.Chave == CH).SingleOrDefault();

It will clear the value of CH to avoid dangerous characters like SQL comments, single quotes and etc...

But there are many ways to protect yourself, however, most are not "pre-ready".

I hope it helps...

1

Instead of concatenating strings to form your query. utilize Parameters.Add of SqlCommand to prevent Sql Injection.

Follow below example applied to your code:

string query = "SELECT * FROM TABELA WHERE CHAVE = @CH";

using (var command = new SqlCommand(query, connection))
{
    SqlParameter param  = new SqlParameter();
    param.ParameterName = "@CH";
    param.Value         = CH;

    command.Parameters.Add(param);        

    connection.Open();

    using (var reader = command.ExecuteReader())

Browser other questions tagged

You are not signed in. Login or sign up in order to post.