How to prevent SQL injection in dynamic sql for .Net Web API?

Question

How to prevent SQL injection in dynamic sql for .Net Web API?

I just can't find the answers that I like.

I would like to do something like:

public class TestSqlInjectionController : ApiController
{
    public IEnumerable<TestSqlInjectionUser> Get([ValidateSqlInjection]string usernameFilter = null)
    {

wherein [ValidateSqlInjection]seeks bases such as ejection errors, if the input filter comprises ;, --, DROPor DELETE.

So, I will have a convenient list.

Then create a custom attribute:

[FilterField1ValidateSqlInjection]

Here it is possible to split the comma separated list into an array.

Then scroll through the array and make sure that each element matches one of the values in the enumeration.

Does it sound like he is going in the right direction?

The problem is that we have to use dynamic SQL for a lot of search, sorting and filtering. There is no such thing.

, .

, , , .NET Injection?

+4

c# sql-injection .net asp.net-web-api

Sam 23 . '15 22:00

3

Luiz · Answer 1 · 2015-11-23T22:51:18+0000

- SQL, , , - SQL .

, , , SQL. regex , .

- .

Kaveh Hadjari · Answer 2 · 2015-11-23T22:42:20+0000

, , , Linq, EF -, . , ORDER BY, WHERE SELECT.

: https://github.com/NArnott/System.Linq.Dynamic

: http://dynamiclinq.azurewebsites.net/GettingStarted#subValues

tdbeckett · Answer 3 · 2015-11-23T22:13:21+0000

. Google.

https://msdn.microsoft.com/en-us/library/ff648339.aspx SQL- MVC http://devproconnections.com/net-framework/protecting-legacy-web-applications-antixss

SQL-, SQL. . SQL . , , linq .

https://msdn.microsoft.com/en-us/library/bb882637.aspx

How to prevent SQL injection in dynamic sql for .Net Web API?

More articles: