This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 6%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESR%3C/text%3E%3C/svg%3E)
How can I avoid SQL injection attacks in my ASP.NET application?
I have a master page and child pages for my project.
Thanks
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 36%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELH%3C/text%3E%3C/svg%3E)
Hi @Sana, Ramesh,
Are there any updates on this issue? I am glad to help if you have any other questions.
You should avoid construction queries with values; instead, use SQL Parameterization or Stored Procedure with parameterization. It also helps to create optimized query plans for better performance.
Here is some samples: https://www.c-sharpcorner.com/article/best-practices-to-prevent-sql-injection/
Hi @Sana, Ramesh,
You can pay attention to the following points:
Best regards,
Lan Huang
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 46%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
You have some great answers.
At the most base level?
Well, you can in code risk so called "in line" SQL statements. However, in "any" case in which ANY of that SQL used involves ANY kind of user input?
Then no chances are to be taken in such cases, and you can't use "string" concatenations in code for your SQL. Follow the above simple rule, and you covered 99% of SQL injection cases.
So, for example, say we have a simple gridview, and the user is to click on a button. (to select the row, maybe view that one record).
Can you risk SQL concatenation in that case? Well, yes, you actually can, providing you use 100% server side code for that row click, and don't pull or use any user input for the database ID value you use in this example.
So, don't ever take user input, and use with SQL statements as concatenated "strings" code.
Else you risk this: