Asp net validating querystring
Server variables are also part of request and Request validation applies on it.
If you are a C# user, you can easily convert the VB. A complete downloadable project and implementation steps will be provided at the end of the tutorial. For example, in the above tutorial, it is obvious that you are passing id numbers in the query string.
This isn't true - you still need to make sure you are careful when you pass values to a SPROC, and/or when you escape or customize a query with an ORM that you do it in a safe way.
2) Always conduct a security review of your application before ever put it in production, and establish a formal security process to review all code anytime you make updates. Too often I hear of teams that conduct a really detailed security review before going live, then have some "really minor" update they make to the site weeks/months later where they skip doing a security review ("it is just a tiny update - we'll code review it later"). My personal opinion is that passwords should always be one-way hashed (I don't even like to store them encrypted). NET 2.0 Membership API does this for you automatically by default (and also implements secure SALT randomization behavior).
Michael Sutton recently published a very sobering post about just how widespread this issue is on the public web.
He built a C# client application that uses the Google Search API to look for sites vulnerable to SQL Injection Attacks.
But because the parameter value hasn't been SQL encoded, a hacker could just as easily modify the querystring value to embed additional SQL statements after the value to execute.
The steps to achieve this were simple: Of a random sampling of 1000 sites he found via his Google search, he detected possible SQL Injection Attack vulnerability with 11.3% of them. It means hackers can remotely exploit the data in those applications, retrieve any unhashed/encrypted passwords or credit-card data, and potentially even log themselves in as administrators to the application.
This is bad not only for the developer who built the application, but even worse for any consumer/user of the application who has provided data to the site thinking it will be secure.
How to Learn More The Microsoft Prescriptive Architecture Guidance (PAG) team has posted a number of really good security guideline documents that you should set aside some time to read: You can also find useful ASP.
NET security information from this security blog post of mine, and from my ASP. Updated: Bertrand pointed me at a great post he did two years ago on SQL Injection Attacks that is great to read.
This is really important to help catch the "it is just a tiny update so I'll be safe" scenario, and provide an additional safety layer to avoid accidentally introducing a bad security bug into your application.