Is SqlDataSource Safe?
Does Using SqlDataSource Make Your Web Site Vulnerable to SQL Injection Attacks?
October 30, 2009
AskthePRO
LANGUAGES: All
ASP.NET VERSIONS: 1.x | 2.0
Is SqlDataSourceSafe?
DoesUsing SqlDataSource Make Your Web Site Vulnerable to SQL Injection Attacks?
By JeffProsise
Q:I've been playing with the ASP.NET 2.0 beta and I like the new data source controls.However, I'm concerned about security. If I use with SqlDataSource, am I now vulnerableto SQL injection attacks, since I don't get a chance to validate query stringparameters?
A:You'll be glad to know that letting SqlDataSource handle query stringparameters for you does not increase your vulnerability to SQL injectionattacks. Here's why:
First,SqlDataSource uses parameterized commands internally, and parameterizedcommands provide one level of protection against malicious input parameters.
Second,you can use stored procedures with SqlDataSource. Stored proceduresafford similar protection against malicious input, and they can be assignedpermissions that prevent the account used to access the database from doing anythingbut calling stored procedures.
Third,you can still validate query string parameters if you want by validating themin Page_Init, which is called beforeSqlDataSource queries the database.
Usedproperly, SqlDataSource controls are no less secure than hand-writtendata access code. In fact, sometimes they're more secure, because of somedevelopers' propensity to use dynamic SQL commands instead of parameterizedcommands or stored procedures.
Rememberto practice other secure coding procedures, too. For example, never use the saaccount (or an equivalent) to access a database from a Web app, and considerencrypting your database connection strings. A few common-sense measures likethese can make life miserable for hackers.
JeffProsise is theauthor of several books, including Programming Microsoft.NET (Microsoft Press,2002). He's also a cofounder of Wintellect (http://www.wintellect.com),a software consulting and education firm that specializes in .NET. Have aquestion for this column? Submit queries to [email protected].
About the Author
You May Also Like