I have been working with some private web services for the last few months and the project based around them is finally coming together.
However the last thing I am looking into is SQL Injection, the web services wrap around a database and I have nothing to do with the formatting of the SQL so what do I do?
Well I check to make sure with the developers of the web services to ensure that they do in fact check for SQL Injection but I can go further and do my own checks to stop the services wasting time with bogus queries.
To do this I use Regex to check my textbox controls text data and rather than blocking certain characters I specify what I will allow, anything else gets removed.
So here are a couple of basic quick checks for name textbox, email textbox and phone textbox.
string cleanName = Regex.Replace(nameTB.text, “[^A-Za-z0-9]+”, “”); string cleanEmail = Regex.Replace(emailTB.text, ”[^A-Za-z0-9^@^.]+”, “”); string cleanPhone = Regex.Replace(phoneTC.text, ”[^0-9]+”, “”);
That is pretty much it. Put Anything other than upper & lower case letters and numbers into the name text box and it will be removed, for email it is the same but allows periods and @ symbols and finally for phone, we simply only allow numbers.