Are there any thoroughly tested .NET libraries out there to sanitize input from things like script/sql injection?
Are there any thoroughly tested .NET libraries out there to sanitize input from things
Share
Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Are there any thoroughly tested .NET libraries out there to sanitize input from things like script/sql injection?
SQL injection and Cross-Site Scripting (a.k.a. XSS or Script Injection) are different problems.
1) SQL Injection is very easy, always use parametrized queries (SQLParameter) and try really hard to NEVER do sp_exec @query within T-SQL stored procedures. .Net parametrized queries will not protect against this second order injection.
2) XSS is more difficult to universally mitigate since there are so many places that JavaScript can be inserted into HTML documents. The recommendations to use AntiXSS for encoding user data is right on. Use this library before inserting user data into output documents. Unfortunately, if you are using ASP.Net server controls encoding all data may lead to double-encoding and display artifacts. This happens because some control properties encode data while others don’t. Refer to this table to find out the properties encoded by default. Use Anti-XSS before assigning to any properties that don’t encode.