As I know that site was built using php & mysql.
In ASP.Net, such SQL injection attack can avoid if we follow standard guidelines. As a developer keep followings in mind.
- Always, don’t believe in what user has input.
- If executes SQL command from a page, don’t use concatenated SQL commands. Always use respective DbParameter class to build a command string.
Following example using SQLParamerter.
Incorrect
“SELECT cusid,cusname FROM customer WHERE cusid= “ + userinput “
Correct
“SELECT cusid,cusname FROM customer WHERE cusid= @userinput “ - In the production version of your web application, turn off tracing and avoid
<customErrors mode="Off"/>setting in web.config. - Don’t give error messages that intruder can guess information about your database.
No comments:
Post a Comment