From the course: ASP.NET: Security

Unlock the full course today

Join today to access over 23,200 courses taught by industry experts.

SQL injection with ADO.NET

SQL injection with ADO.NET

From the course: ASP.NET: Security

Start my 1-month free trial Buy for my team

SQL injection with ADO.NET

- [Instructor] Do you remember the OWASP Top Ten List we've had a look at earlier? The number one issue there was injection and there's several kinds of injections. Basically what this point means in 99% of all cases Turns out, this is still a big problem but when I'm conducting security audits that's something I see very rarely so I'm rather quick in covering this and I also have to tweak the application quite a bit in order to make Sequel injection possible from a tech-er. This is code like it was written, I would say, one or two decades ago using ADO.NET and basically we are using string concatenation to assemble a string in SQL syntax. You could also use string.format or other ways of coupling together that string but basically that string is here. It is using a value id which can be supplied by the user and well then basically we create a command and then we execute that command. And that raw SQL that we create here can be manipulated by the user because the user provides the…

Contents