Home/ Questions/Q 6826823
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-26T22:11:36+00:00

For email entry in a text box by the user i am doing client

  • 0

For email entry in a text box by the user i am doing client side check, to find whether the email is valid or not

 string emailexist = "SELECT COUNT(DISTINCT UserID) as count FROM tbl_user WHERE Email=@Email ";     


   <asp:RegularExpressionValidator ID="RegularExpressionValidator2" ValidationGroup="Login" ControlToValidate="txtUserName"
                            ValidationExpression="\w+([-+.]\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*" CssClass="Error"
                             runat="server" />

is this regular expression good enough to prevent sql injection for email.

Other Text:

   string groupExistQuery = "SELECT COUNT(DISTINCT GroupID) as count FROM tbl_group WHERE GroupName=@GroupName";

I am doing a query in server side to check whether the group name entered by the user is already available in the database, there is a strong possibility to perform sql injection here. How should I prevent from it.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    A regex is unrelated to SQL injection (blacklisting etc is never the strongest approach); however, the use of the parameter @Email means (assuming it remains parameterised) that is not susceptible to SQL injection.

    SQL injection relates to inappropriate concatenation of input; the main tool to fight it is parameters, which has already happened here.

    For example, if you did:

    var sql = "SELECT ...snip... WHERE Email='" + email + "'"; // BAD!!!!!

    then that is heavily susceptible to SQL injection. By using a parameter, the value is not treated as part of the query, so the attacker does not have at attack vector.

    • 0