Developer forum

Forum » Templates » Razor SQL Injections

Razor SQL Injections

E-mail notifications
Nuno Aguiar
Reply
Posted on 17/07/2014 13:07:33

Hi,

 

I've read Mikkel's answer on http://developer.dynamicweb-cms.com/forum/templates/razor-templates-connect-to-database.aspx and was wondering if the  Dynamicweb.Database.SqlEscapeInjection() method was as effective as the SQL command.

 

Sometimes we want to update a table and becomes faster/easier to code with a simple user input sanitation rather than creating a SqlCommand

 

Nuno


Replies

 
Nicolai Høeg Pedersen
Posted on 17/07/2014 13:18:39
Reply

Hi Nuno

You really should stick to Mikkels recommendations. The SqlEscapeInjection() is an alternative though.

Also, Dynamicweb will scan ALL querystring and post parameters for possible SQL attacks.

BR Nicolai

 
Nuno Aguiar
Posted on 17/07/2014 13:35:46
Reply

Hi Nicolai,

 

Ok, we will use Mikkel's process as standard.

 

Just in case we need to use the other one, can you provide us with the regex applied in the SqlEscapeInjection() method? Would come in handy to provide client side validations.

 

Best Regards,

Nuno

 
Nicolai Høeg Pedersen
Posted on 17/07/2014 14:26:33
Reply

Hi Nuno

It is a range of different checks where this is just one of them. And there is a difference if it is a querystring or post.

Actually you do not have to use SqlEscapeInjection() method because Dynamicweb will handle it before it comes to your code. Simply use Input.Request() which will escape for you when appropiate.

Nicolai

 
Nuno Aguiar
Posted on 18/07/2014 12:47:45
Reply

Hi Nicolai,

 

Great, thanks for the feedback. We will take that into consideration.

 

Best Regards,

Nuno

 

You must be logged in to post in the forum