{"id":170,"date":"2008-10-06T17:06:50","date_gmt":"2008-10-06T15:06:50","guid":{"rendered":"http:\/\/unckel.com\/blog\/?p=170"},"modified":"2019-12-07T22:29:22","modified_gmt":"2019-12-07T21:29:22","slug":"asp-net-sql-injection-vermeiden","status":"publish","type":"post","link":"https:\/\/unckel.de\/blog\/asp-net-sql-injection-vermeiden\/","title":{"rendered":"ASP.NET: SQL-Injection vermeiden"},"content":{"rendered":"

SQL-Injection<\/a>\u00a0lassen sich in ASP.NET sehr einfach vermeiden. Sowohl bei der Verwendung von WebControls als auch „von Hand“.<\/p>\n

Hier am Beispiel einer AccessDataSoucre mit einer \u00dcbergabe der ID in der URL (= GET):<\/p>\n

<asp:AccessDataSource ID=\"AccessDataSource1\" runat=\"server\"\n    SelectCommand=\"SELECT * FROM Tab1 WHERE ID = ?\">\n    <SelectParameters>\n        <asp:QueryStringParameter Name=\"ID\"\n          QueryStringField=\"ID\" Type=\"INT32\" \/>\n    <\/SelectParameters>\n<\/asp:AccessDataSource><\/pre>\n
Per Code (ohne DataSoucre-Controls) kann das so aussehen:<\/p>\n
string sqlStr = \"SELECT * FROM Tab WHERE CategoryID = ? AND Date = ?\";\nusing (OleDbConnection conn = new OleDbConnection(...))\n{\n  using (OleDbCommand cmd = new OleDbCommand(sqlStr, conn))\n  {\n    cmd.CommandType = CommandType.Text;\n    cmd.Parameters.AddWithValue(\"CategoryID \", Request.QueryString[\"CatID\"]);\n    cmd.Parameters.AddWithValue(\"Date \", DateTime.Now.Year);\n \n    conn.Open();\n    using (OleDbDataReader reader = cmd.ExecuteReader())\n    {\n      while (reader.Read())\n      {\n        output = reader[\"Article\"].ToString();\n      }\n    }\n  }\n}<\/pre>\n
via: mikesdotnetting.com. Da gibt’s das auch noch f\u00fcr SQL-INSERT, -UPDATE, -DELETE und VB-Code:
\nhttp:\/\/www.mikesdotnetting.com\/Article\/26\/Parameter-Queries-in-ASP.NET-with-MS-Access<\/a><\/p>\n
Mehr zum Thema:
\nhttp:\/\/de.wikipedia.org\/wiki\/SQL_Injection<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
SQL-Injection\u00a0lassen sich in ASP.NET sehr einfach vermeiden. Sowohl bei der Verwendung von WebControls als auch „von Hand“. Hier am Beispiel einer AccessDataSoucre mit einer \u00dcbergabe der ID in der URL (= GET): <asp:AccessDataSource ID=“AccessDataSource1″ runat=“server“ SelectCommand=“SELECT * FROM Tab1 WHERE ID = ?“> <SelectParameters> <asp:QueryStringParameter Name=“ID“ QueryStringField=“ID“ Type=“INT32″ \/> <\/SelectParameters> <\/asp:AccessDataSource> Per Code (ohne DataSoucre-Controls) […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[71],"tags":[],"class_list":["post-170","post","type-post","status-publish","format-standard","hentry","category-webdesign"],"_links":{"self":[{"href":"https:\/\/unckel.de\/blog\/wp-json\/wp\/v2\/posts\/170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unckel.de\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unckel.de\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unckel.de\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unckel.de\/blog\/wp-json\/wp\/v2\/comments?post=170"}],"version-history":[{"count":1,"href":"https:\/\/unckel.de\/blog\/wp-json\/wp\/v2\/posts\/170\/revisions"}],"predecessor-version":[{"id":836,"href":"https:\/\/unckel.de\/blog\/wp-json\/wp\/v2\/posts\/170\/revisions\/836"}],"wp:attachment":[{"href":"https:\/\/unckel.de\/blog\/wp-json\/wp\/v2\/media?parent=170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unckel.de\/blog\/wp-json\/wp\/v2\/categories?post=170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unckel.de\/blog\/wp-json\/wp\/v2\/tags?post=170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}