ASP.NET VERSIONS: 1.x | 2.0
Is SqlDataSource Safe?
Does Using SqlDataSource Make Your Web Site Vulnerable to SQL Injection Attacks?
By Jeff Prosise
Q: I've been playing with the ASP.NET 2.0 beta and I like the new data source controls. However, I'm concerned about security. If I use <asp:QueryStringParameter> with SqlDataSource, am I now vulnerable to SQL injection attacks, since I don't get a chance to validate query string parameters?
A: You'll be glad to know that letting SqlDataSource handle query string parameters for you does not increase your vulnerability to SQL injection attacks. Here's why:
- First, SqlDataSource uses parameterized commands internally, and parameterized commands provide one level of protection against malicious input parameters.
- Second, you can use stored procedures with SqlDataSource. Stored procedures afford similar protection against malicious input, and they can be assigned permissions that prevent the account used to access the database from doing anything but calling stored procedures.
- Third, you can still validate query string parameters if you want by validating them in Page_Init, which is called before SqlDataSource queries the database.
Used properly, SqlDataSource controls are no less secure than hand-written data access code. In fact, sometimes they're more secure, because of some developers' propensity to use dynamic SQL commands instead of parameterized commands or stored procedures.
Remember to practice other secure coding procedures, too. For example, never use the sa account (or an equivalent) to access a database from a Web app, and consider encrypting your database connection strings. A few common-sense measures like these can make life miserable for hackers.
Jeff Prosise is the author of several books, including Programming Microsoft .NET (Microsoft Press, 2002). He's also a cofounder of Wintellect (http://www.wintellect.com), a software consulting and education firm that specializes in .NET. Have a question for this column? Submit queries to [email protected].