Back to "Eliminating SQL Injection..."

This is a viewer only at the moment see the article on how this works.

To update the preview hit Ctrl-Alt-R (or ⌘-Alt-R on Mac) or Enter to refresh. The Save icon lets you save the markdown file to disk

# Eliminating SQL Injection...

<datetime class="hidden">2006-09-08T00:00</datetime>


## 
Eliminating SQL Injection...

posted on Saturday, July 10, 2004 8:06 PM

Read on [Stefan Demetz's blog](http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/07/10/18763.aspx) about a [movement afoot to lobby Microsoft](http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/07/10/18763.aspx) to change how textboxes allow passed in data. [See here](http://lab.msdn.microsoft.com/productfeedback/viewfeedback.aspx?feedbackid=25d26b9a-11b4-49fe-be42-ca38ad0d1256) for the comment. Sorry but I think this is a plain awful idea and is very reminiscent of the horrible [RequestValidation](http://www.asp.net/faq/RequestValidation.aspx)nonsense introduced in .NET 1.1. I am in favour of a simple method of encrypting and validating QueryString input such as [presented here](http://www.dotnetjunkies.com/HowTo/99201486-ACFD-4607-A0CC-99E75836DC72.dcik) (apart from the fact that it used 3DES - DO NOT DO THIS! 3DES is MUCH slower and not as secure as AES). So what's my problem with changing the default behaviour of input controls? Simple, three things:

1. If it happens, this will likely be implemented in such a way that it breaks exisitng applications (this also happened with 1.1 and as a result there's still a few apps still running 1.0 out there).
2. If it is done it would have to be totally bulletproof, otherwise every app would rely on a single security mechanism - which is so NOT a good idea!
3. Abdication of responsibility by developers, if this were done so it had to be explicitly enabled either at web.config or in page level, I would be much happier. Put simply I prefer developers know what's happening in their code and therefore are more likely to be aware of any issues surrounding it.

Oh, and Microsoft, if you do do this, don't do it like Viewstate where you hardcode 3DES encryption with no way of replacing your implementation, at least make it a Provider!

This is a preview from the server running through my markdig pipeline

Imported mostlylucidcouk

Eliminating SQL Injection...

Friday, 08 September 2006

Eliminating SQL Injection...

posted on Saturday, July 10, 2004 8:06 PM

Read on Stefan Demetz's blog about a movement afoot to lobby Microsoft to change how textboxes allow passed in data. See here for the comment. Sorry but I think this is a plain awful idea and is very reminiscent of the horrible RequestValidationnonsense introduced in .NET 1.1. I am in favour of a simple method of encrypting and validating QueryString input such as presented here (apart from the fact that it used 3DES - DO NOT DO THIS! 3DES is MUCH slower and not as secure as AES). So what's my problem with changing the default behaviour of input controls? Simple, three things:

If it happens, this will likely be implemented in such a way that it breaks exisitng applications (this also happened with 1.1 and as a result there's still a few apps still running 1.0 out there).
If it is done it would have to be totally bulletproof, otherwise every app would rely on a single security mechanism - which is so NOT a good idea!
Abdication of responsibility by developers, if this were done so it had to be explicitly enabled either at web.config or in page level, I would be much happier. Put simply I prefer developers know what's happening in their code and therefore are more likely to be aware of any issues surrounding it.

Oh, and Microsoft, if you do do this, don't do it like Viewstate where you hardcode 3DES encryption with no way of replacing your implementation, at least make it a Provider!

© 2025 Scott Galloway — Unlicense — All content and source code on this site is free to use, copy, modify, and sell.