how to secure Query string To Injection attack

[shahab]

I have used many querystrings in my web site now I want to secure them all.
Is it enough to secure all of them in this way:

Show Me Some Code Already!
Implementing a secure query string is simple, and works almost identically to any other NameValueCollection. The following code simply instantiates the SecureQueryString object and adds a couple of parameters to it.

// Create the queryString object
SecureQueryString qs = new SecureQueryString();
// Add name/value pairs.
qs["Name"] = "TSHAK";
qs["SSN"] = "000-00-0000";

Now let’s generate a URL with your name/value pairs encrypted. To do this, we simply call the ToString() method:

string url = "DestPage.aspx?x=" + qs.ToString();
You’ll see that I used the query string parameter “x”. You can name any parameter that you like, or not use a named parameter at all. I used the “x” for illustration purposes.

Now that we’ve generated the URL, we need a way to retrieve the values from the receiving page. Because the values are encrypted, we can no longer use the Request object to pull our values. Fortunately, as shown in the code snippet below, the process is very similar:

// Simply pass the encrypted string into the constructor
SecureQueryString qs = new SecureQueryString(Request["x"]);
// Now access the NameValueCollection
string Name = qs["Name"];
string SSN = qs["SSN"];
By Tim Shakarian
Originally Published:1/12/2004

is there any other aspect?

 

[samsmithnz]

The best way to secure them is to move all your SQL into stored procedures... can you do that?

 

[MorningZ]

i have a question...

what are you trying to secure against?

- People seeing what the values are?
- People changing the QueryString to try to cause damage?

on another note, where is this page talking about "SecureQueryString"? i do have a need for something like that (but just for disguising whats on the QueryString)

For attacks though: always always always check the data you are pulling from there, never ever "trust" anything a user can change....

 

[shahab]

a.aspx?id=3 or sth like that!

The best way to secure them is to move all your SQL into stored procedures... can you do that?

Securing Querysting,does it need sp?For login page it is useful ,but how can I use SPs for QS?

 

[MorningZ]

well found it... and toyed around with it... pretty neat stuff..... to answer your "is it enough", check out some posts on the their forum

http://www.google.com/search?hl=en&...tnetjunkies.com+SecureQueryString&btnG=Search

Note: something is serously screwed up with their forums, but the above links will let you go directly to some of the threads......

 

[shahab]

After a large investigation I find this:

The best way to secure them is to move all your SQL into stored procedures... can you do that?

Would u please show me some code?

 

[MorningZ]

Example code

http://www.4guysfromrolla.com/webtech/chapters/ASPNET/ch06.4.shtml

 

[shahab]

Thanks morningZ