Search code examples
c#asp.netsql-injectionparameterized-query

Fixing SQL injection forms in a big asp.net C# web application

I have to fix a project that is vulnerable to SQL injection.

All the forms in every page on the project do not use parametrized query but simply string query.

For example I have the search page, and looking at the code behind I see that there is a method CreateQuery() that creates the query basing on the text fields as example:

string sQuery = "";
sQuery += "b.name like '%" + txtName.Text + "%'";

Then in the btnSearch_Click() I have the method that does the query:

query = CreateQuery();
var totalList = GetAllBlaBla(query);

My question is:

Since I have hundreds of forms and thousands of formText and values to FIX, is there a "quick" solution to implement like

  1. A global function that parametrizes the query or handle the situation in some way?
  2. Since in every class the query is executed in the SubmitButton_Click() code behind method, can I handle the situation here, of course in every class?
  3. Should I modify every form and every entry in the form codebehind to parametrize the SQL string, that is gonna take one million of years?

  4. (Edit) What about Encode/Decode input values? SO that the example above will be:

    string sQuery = "";
var txt = var txt = HttpUtility.HtmlEncode(txtName.Text);
sQuery += "b.name like '%" + txt + "%'";

    Is this a possible temporary patch?

5- (Edit) Is this a possible solution, or it simply does not change anything?

        cmd.Parameters.Add("@txtNameParameter", SqlDbType.VarChar);
        cmd.Parameters["@txtNameParameter"].Value = txtName.Text;
        sQuery += "b.name like '%" + (string)cmd.Parameters["@txtNameParameter"].Value + "%'";

The problem is that I have to return a string because the logic that handles the query is defined in another business class that takes a string as a query, I cannot give it a CommandType or SqlDataAdapter...

Suggestion?

Thanks in advance.

Solution

  • You already know there is a problem; IMO, any "quick" fix here is likely to reduce the attack surface, but is not likely to prevent determined abuse; simply, blacklisting is truly hard and there are some really bizarre inputs readily available on black-hat (and, as samples, on white-hat) sites. These are not always easily recognizable as abusive. It isn't all ' drop table Customers -- ;p

    WHATEVER you do, I would advise doing it properly; parameters. Tools like dapper might reduce the code you need, though:

    sQuery += "b.name like '%'+@text+'%'"
...
conn.Execute(sQuery, new {text=txtName.Text});

    (which is easier than handling all the parameters etc manually)