English German Spanish French Chinese
 

SQL Injection Defense

Please install Silverlight or click download to watch video locally.

A SQL Injection vulnerability in your application can ruin your whole day. In this video, Microsoft’s Joe Stagner explains how SQL Injection attacks can happen, what a bad guy can do with them, and how to protect your ASP.NET application from SQL Injection vulnerabilities.

Presented by Joe Stagner

Duration: 25 minutes, 35 seconds

Date: 29 October 2009

Watch    Video   |   Download    Video

Video downloads: WMV  |  Zune  |  iPod  |  PSP  |  MPEG-4  |  3GP

Audio downloads: AAC  |  WMA  |  MPEG-4  |  MPEG-3  |  MPEG-2

Comments : 9

Leave a Comment

Hornwood509 : On October 30, 2009 11:22 AM said:

Thanks Joe!

Knew Injection attacks were supposed to be easy, but THIS easy?!?!
mhpc911 : On November 01, 2009 1:18 PM said:

Thank you Joe. I appreciate the information very much. Keep up the good work.
arlen_bs : On November 02, 2009 3:51 AM said:

thxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

it's gr8888888888888888888888888888888888888888888888888888
haithemara : On November 04, 2009 9:16 PM said:

good video Joe.
grettir : On November 04, 2009 10:35 PM said:

Thanks Joe, good video.

Parametrization of the sql queries is a popular way to reduce threat of sql injections. Sometimes RegEx functions are used along with it to fortify the defence.
cruncher06 : On November 05, 2009 8:00 PM said:

Excellent information Joe; I have wanted more information in how to protect my site against security threats. Looking forward to the sample code as well as more security videos.

Thanks.
geoffHome : On November 09, 2009 5:15 AM said:

Excellent video. So glad I'm moving to LINQ!
ramaraju_r : On November 09, 2009 6:59 PM said:

Thanks!! it's very helpful. where can I get the source code?
villamouri : On November 12, 2009 10:27 AM said:

Good tips, thanks.

However,it is my understanding that putting all input box text through

string.replace("'","''") will stop every type of sql attack on MS Sql server. This stops all attempts to terminate the quotes and input any extra commands.

If this is not the case, can anyone give me an example where it would not work? I would like to know if there are any examples, as this method is what I have used for years.

Leave a Comment

You must be logged in to leave a comment. Click here to log in.

Contact | Advertise | Ads by BanManPro | Running IIS7
All Rights Reserved. | Terms of Use | Trademarks | Privacy Statement
© 2009 Microsoft Corporation.

Microsoft Communities