Is SqlDataSource Safe?

AskthePRO

LANGUAGES: All

ASP.NET VERSIONS: 1.x | 2.0

Is SqlDataSourceSafe?

DoesUsing SqlDataSource Make Your Web Site Vulnerable to SQL Injection Attacks?

By JeffProsise

Q:I've been playing with the ASP.NET 2.0 beta and I like the new data source controls.However, I'm concerned about security. If I use with SqlDataSource, am I now vulnerableto SQL injection attacks, since I don't get a chance to validate query stringparameters?

A:You'll be glad to know that letting SqlDataSource handle query stringparameters for you does not increase your vulnerability to SQL injectionattacks. Here's why:

Usedproperly, SqlDataSource controls are no less secure than hand-writtendata access code. In fact, sometimes they're more secure, because of somedevelopers' propensity to use dynamic SQL commands instead of parameterizedcommands or stored procedures.

Rememberto practice other secure coding procedures, too. For example, never use the saaccount (or an equivalent) to access a database from a Web app, and considerencrypting your database connection strings. A few common-sense measures likethese can make life miserable for hackers.

JeffProsise is theauthor of several books, including Programming Microsoft.NET (Microsoft Press,2002). He's also a cofounder of Wintellect (http://www.wintellect.com),a software consulting and education firm that specializes in .NET. Have aquestion for this column? Submit queries to [email protected].