Question
Are there global setting prevent the sql injection and XSS ? I'm using ASP.NET(web form)
I know that there are some method can filter the special character , and put it in the parameter string .
but now I'm maintaining the source that not developing by myself, and the project is big, I don't want to change each sql command.
https://stackoverflow.com/questions/22579898
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian<pages validateRequest="true" />
it's the web.config settings I find, can it prevent sql injection and XSS , it effective?
thanks
Solution
The best way to prevent SQL injection is: use parameters. Anything else is just a "maybe it'll prevent some attacks" arms race against people who can simply reflect (disassemble) the implementation to see what might make it past.
Xss is likewise best prevented by correctly encoding your outputs. Both aspx and razor make this easy.
OTHER TIPS
No. This will not work to completely protect you from XSS and definitely not sql injection. Last I heard, Microsoft wants people to stop using this. They are using a black list to find any potential issues with the input. The only way to get close to preventing XSS and sql injection is to use a white list.
Request Validation
Recommendation: Validate user input, and encode output from users.
Request validation is a feature of ASP.NET that inspects each request and stops the request if a perceived threat is found. Do not depend on request validation for securing your application against cross-site scripting attacks. Instead, validate all input from users and encode the output. In some limited cases, you can use regular expressions to validate the input, but in more complicated cases you should validate user input by using .NET classes that determine if the value matches allowed values.
