U
U
User992021-01-16 15:14:31
ASP.NET
User99, 2021-01-16 15:14:31

How to protect against SQL injection in asp.net core? do I write correctly?

Today I thought, am I writing correctly, am I accessing the database correctly?
ASP.NET Core
Language: C#
DB: Postgresql
using npgsql, Dapper

1) I create a table model

public class Users
    {
        public int userid { get; set; }
        public int orgid { get; set; }
        public string login { get; set; }
        public string pass { get; set; }
        public string role { get; set; }
        public string m_product_coming { get; set; }
        public string m_product_realization { get; set; }
        public string m_analytics { get; set; }
    }


2) I create repositories
public interface IUsersRepository<T> where T:BaseEntity
    {
        Task New(T add);
        Task Delete(int id);
        Task Update(T edit);
        Task<IList<T>> ShowAll(int orgid);
    }


public class ReposUsers:IUsersRepository<Users>
    {
        private string connectionString;

        public ReposUsers(IConfiguration configuration)
        {
            connectionString = configuration.GetValue<string>("DBInfo:ConnectionString");

        }

        internal IDbConnection Connection
        {
            get
            {
                return new NpgsqlConnection(connectionString);
            }
        }

        public async Task Delete(int id)
        {
            using(IDbConnection dbConnection = Connection)
            {
                await dbConnection.ExecuteAsync("DELETE FROM users WHERE [email protected]", new { id = id });
                dbConnection.Dispose();
            }
        }

        public async Task New(Users add)
        {
            using(IDbConnection dbConnection = Connection)
            {
                await dbConnection.ExecuteAsync("INSERT INTO users " +
                    "(login,pass,role,m_product_coming,m_product_realization,m_analytics,orgid) VALUES " +
                    "(@login,@pass,@role,@m_product_coming,@m_product_realization,@m_analytics,@orgid)", add);
                dbConnection.Dispose();
            }
        }

        public async Task<IList<Users>> ShowAll(int orgid)
        {
           using(IDbConnection dbConnection = Connection)
            {
                var model = (await dbConnection.QueryAsync<Users>("SELECT * FROM users WHERE [email protected]",new { orgid = orgid })).ToList();
                dbConnection.Dispose();
                return model;
            }
        }

        public async Task Update(Users edit)
        {
            using (IDbConnection dbConnection = Connection)
            {
                await dbConnection.ExecuteAsync("UPDATE users SET" +
                    "[email protected],[email protected],[email protected],[email protected]_product_coming," +
                    "[email protected]_product_realization,[email protected]_analytics WHERE [email protected]", edit);
                dbConnection.Dispose();
            }
        }
    }



Question:
Am I doing the right thing?
Are there any mistakes?
How can you protect yourself from an injection?
For example, in php they escaped the form entered by the user, for example, htmlspecialchars, is it necessary to do the same on net core?

Answer the question

In order to leave comments, you need to log in

1 answer(s)
V
Vasily Bannikov, 2021-01-16
@vabka

At first on points as you do:
1. Crooked naming. Dapper allows you to map column names to property names.
2. Looks OK, but it's worth breaking the interface. Tk, most likely, not all entities will need all these methods.
Naming is not ok.
dbConnection is worth reusing.
You don't need to write dbConnection.Dispose by hand, because dbConnection is already wrapped in using
SELECT * it's better not to use

Am I doing the right thing?

Not really
Are there any mistakes?

There is
How can you protect yourself from an injection?

Validate input.
Not sure if dapper checks parameters itself, but you are using parameterized queries - so should be ok.
If anything, you can try to inject yourself (make a request yourself or through the burp suite)
For example, in php they escaped the form entered by the user, for example, htmlspecialchars, is it necessary to do the same on net core?

Dapper should do it himself.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question