I have a boolean variable value stored in an SQL Server database. This is presented to end users as a checkbox on an ASP.NET webpage. Toggling the checkbox naturally updates the value in the database.
I was about to remove the SQL query that is written in plain text in the C# code behind and replace it with a stored procedure in order to improve security by protecting against SQL injection attacks. My understanding of injection attacks is limited, but surely one could not trigger an attack from an unsecured checkbox input? Or could one?
Well, as a rule you should always use stored procedures or parameterized sql. Can you do it through the clicking of a checkbox? Really, it all depends on how the code is written. On the surface, I would say no, but there are a large number of possibilities that could affect this.
Remember, the page when it posts is sending essentially a text value to the server. Someone could send a sql injection attack instead of the checkbox value. Now asp.net is pretty good at handling this, but that doesn’t mean that if the code is written to bypass the asp.net checking etc. etc. that it couldn’t happen.
The one thing I’ve learned about programming is that every time I think, “This can’t be done.” generally I am proven wrong. I always take the safest route concerning security.