How to stop SQL Injection...need help.

[hellswraith]

Hello,

I am coding an ASP.Net app, and I need a search function. I understand that SQL injection can be a problem, so I am trying to prevent it if it happens. Here is what I have so far:

Code:

private string RemoveSqlInjectionAttacks(string searchString)
{
	string[] badStrings = {"select", "drop", ";", "--", "insert", "delete", "xp_"};

	// Replace single quotes with double single quotes.
	searchString = searchString.Replace("'", "''");
			
	// Remove all the strings that can do damage
	for(int i=0; i <= badStrings.GetUpperBound(0); i++)
	{
		searchString = searchString.Replace(badStrings[i].ToString(), "");
	}

	return searchString;
}

How does it look? Will this stop all of them? If anyone has anything to add to it, I would appreciate it.

[SimonVega]

I have one suggestion. I would store all of the injection characters in your xml application settings file, so if you need to add or delete any elements, it's as easy as opening your file in notepad and making the modification. Rather than hard coding your array elements, you can dynamically load the array from your xml. Not only do I think this will make your code cleaner, but it will also make it much easier to maintain in the future. Let me know if you need an example

[DevGrp]

Also, you can avoid SQL injection if you use stored procedures instead of building the sql statements on the fly. I recently got a book from MS called writing secure code, which tells you how to avoid situations like this.

When I get home I'll post some more info.

[hellswraith]

DevGrp: I would appreciate that.

SimonVega: I would end up doing that because the app needs to be highly configurable. Thanks

[DevGrp]

I just got this in my mail box http://www.spidynamics.com/whitepape...LInjection.pdf .