Regex SQL Injection Protection in CSharp

I have been working with some private web services for the last few months and the project based around them is finally coming together.

However the last thing I am looking into is SQL Injection, the web services wrap around a database and I have nothing to do with the formatting of the SQL so what do I do?

Well I check to make sure with the developers of the web services to ensure that they do in fact check for SQL Injection but I can go further and do my own checks to stop the services wasting time with bogus queries.

To do this I use Regex to check my textbox controls text data and rather than blocking certain characters I specify what I will allow, anything else gets removed.

So here are a couple of basic quick checks for name textbox, email textbox and phone textbox.

string cleanName = Regex.Replace(nameTB.text, “[^A-Za-z0-9]+”, “”);

string cleanEmail = Regex.Replace(emailTB.text, ”[^A-Za-z0-9^@^.]+”, “”);

string cleanPhone = Regex.Replace(phoneTC.text, ”[^0-9]+”, “”);

That is pretty much it. Put Anything other than upper & lower case letters and numbers into the name text box and it will be removed, for email it is the same but allows periods and @ symbols and finally for phone, we simply only allow numbers.



Published by

Alan Feekery

Developer, Gamer, Musician, Cyclist and big Motorsport fan... enjoys the odd cup of coffee :)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s