Regular expressions on server side

[Igor]

I need to check some text box but if I put validation control than it is on
client site and some user can change regular expression and make sql
injection. I need to check this string at server side by VB or C# code. Is
it possible and how?

Thanks

 

[rowe_newsgroups]

I need to check some text box but if I put validation control than it is on
client site and some user can change regular expression and make sql
injection. I need to check this string at server side by VB or C# code. Is
it possible and how?

Thanks

Generally speaking, client side validation is used to prevent
unnecessary posts to your server, you don't want to depend on it to
save your sight from sql injection attacks as you've pointed out. I'm
assuming you are using the textbox you are wanting to validate
somewhere in your backend code, and where you are using it you need to
validate the input there. The classes you need for Regex validation
are in the System.Text.RegularExpressions namespace.

Thanks,

Seth Rowe [MVP]
http://sethrowe.blogspot.com/

 

[Pavel Minaev]

I need to check some text box but if I put validation control than it is on
client site and some user can change regular expression and make sql
injection. I need to check this string at server side by VB or C# code. Is
it possible and how?

ASP.NET validation controls do validation on the server; they also try
to do additional validation on client where possible (to save a
roundtrip), but even if the user circumvents this, server-side
validation will still kick in.

 

[Peter Morris]

Use parameters in your SqlCommand and then you wont get SQL injection.

 

[Ignacio Machin ( .NET/ C# MVP )]

I need to check some text box but if I put validation control than it is on
client site and some user can change regular expression and make sql
injection. I need to check this string at server side by VB or C# code. Is
it possible and how?

Thanks

Yes, it's possible

how?
using the very same Regex
as a side note, beside checking your values for incorrect entries you
should use parameterized queries:
http://aspnet101.com/aspnet101/tutorials.aspx?id=1

 

[Carl Daniel [VC++ MVP]]

Use parameters in your SqlCommand and then you wont get SQL injection.

Not so. Using parameters makes it less likely that you'll suffer from SQL
injection, but it's still possible, depending on the actual SQL that's being
run. The same is true of stored procedures - using sprocs goes a long way
to preventing SQL injection, but it's not a magic bullet - even a sproc can
be subject to SQL injection depending on what it actually does (e.g. if it
makes use of sp_executesql internally).

-cd

 

[Arne Vajhøj]

Use parameters in your SqlCommand and then you wont get SQL injection.

He still need to validate against XSS.

Arne

 

[Arne Vajhøj]

Not so. Using parameters makes it less likely that you'll suffer from SQL
injection, but it's still possible, depending on the actual SQL that's being
run.

If a text being assigned to a parameter is not interpreted
as a value but is interpreted as SQL then I will consider it
a bug in the library or the database not in the app code.

Do you have any example of the problem (that you feel you can post) ?

The same is true of stored procedures - using sprocs goes a long way
to preventing SQL injection, but it's not a magic bullet - even a sproc can
be subject to SQL injection depending on what it actually does (e.g. if it
makes use of sp_executesql internally).

I would say that SP does nothing at all against SQL injection. It
is just that approx. 99.999% of SP calls are done with parameters.

Arne