2

I have an internal website (going on the intranet) that is going to go through vigorous testing to make sure that it is secure, so I am battening down the hatches so to speak and I coded a .NET repeater to Bind to a .NET SqlDatasource in the aspx page, not in the code behind. I use the SelectParameters tags to insert the string that is needed from a text box in order to run the query.

I am wondering just how safe this is from SQL Injection and other vulnerabilities.

 <asp:SqlDataSource ID="DataGetAppServer" runat="server" ConnectionString="<%$ ConnectionStrings:testConn %>"
     SelectCommand="SELECT [Server] FROM [ServerTracking] WHERE ([UserName] = @UserName)">
     <SelectParameters>
         <asp:ControlParameter ControlID="txtUser" Name="UserName" PropertyName="Text" Type="String" />
     </SelectParameters>
 </asp:SqlDataSource>

Do I need to do more for this?

Improve this question

2 Answers 2

Reset to default
3

It is safe. You have used SqlParameters so you don't need to worry about SQLi in this case.

There are situations where using parameters might not protect you from SQLi, like using a parameter to construct dynamic SQL in a stored proc, but there isn't anything like that going on here.

This is a textbook example of when parameterization prevents injection.

Improve this answer
2

This is not susceptible to SQL injection. This method incorporates the prototypical advice for avoiding SQL injection, which is to use parameterized queries. This explicitly separates the data in the arguments from the executable code.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.