🛡️ Security in .NET: Defeating SQL Injection

-

If XSS is an attack on your users, SQL Injection (SQLi) is an attack on your core data.

SQL Injection occurs when an attacker tricks your database into executing unintended commands by injecting SQL syntax into input fields.

In this final chapter of our security series, we ensure the data layer remains fully protected.

1️⃣ The Golden Rule of Database Security

The only truly reliable defense against SQL Injection is Parameterization.

Parameterized queries clearly separate:

  • SQL Command Structure
  • User Input Data

The database engine treats parameters strictly as values — never as executable SQL.

Even if an attacker enters malicious input such as: 

DROP TABLE Users

it will be stored as text instead of executed.

2️⃣ EF Core: The Common "Interpolation Trap"

Many developers assume EF Core automatically prevents SQL Injection in all scenarios.

While LINQ queries are safe by default, misuse of Raw SQL methods can reintroduce vulnerabilities.

❌ Dangerous Approach: FromSqlRaw

Using string interpolation inside FromSqlRaw builds a dynamic SQL string that can be manipulated. 

// DANGEROUS: vulnerable to SQL Injection
var user = context.Users
    .FromSqlRaw($"SELECT * FROM Users WHERE Email = '{userInput}'")
    .FirstOrDefault();

Here, the input becomes part of the SQL command itself.

✅ Secure Approach: FromSqlInterpolated

Use FromSqlInterpolated whenever dynamic values are required. 

// SAFE: EF Core automatically parameterizes input
var user = context.Users
    .FromSqlInterpolated($"SELECT * FROM Users WHERE Email = {userInput}")
    .FirstOrDefault();

Although the syntax looks similar, EF Core internally converts the value into a database parameter.

This prevents malicious SQL from being executed.

3️⃣ Dapper & Manual SQL

Dapper is popular for performance-critical scenarios.

Because SQL strings are written manually, developers must explicitly use parameters.

✅ Correct Dapper Pattern

var sql =
    "SELECT * FROM Products WHERE CategoryId = @CatId";

var products =
    connection.Query<Product>(
        sql,
        new { CatId = userInput }
    );

Dapper ensures that @CatId is passed as a parameter value rather than concatenated into SQL.

4️⃣ Defense in Depth: Database Least Privilege

Even secure code should not rely on excessive database permissions.

Apply the Principle of Least Privilege:

  • ❌ Avoid using sa or db_owner
  • ✅ Grant only required permissions
  • 🛡️ Limit potential damage from unexpected vulnerabilities

Recommended permissions for application database users:

Permission Status
SELECT Allowed
INSERT Allowed
UPDATE Allowed
DELETE Allowed
DROP Not allowed
ALTER Not allowed
TRUNCATE Not allowed

Even if an injection vulnerability exists, restricted permissions prevent attackers from destroying your schema.

📊 The Complete "Fort Knox" Security Stack

A secure .NET application protects every layer of the architecture:

Layer Threat Solution
Input XSS (Malicious Scripts) HtmlSanitizer + JsonConverter
Browser Data Leakage / Script Execution CSP Headers Middleware
Pipeline Error Handling / Response Consistency ResponseWrapperMiddleware
Availability DoS / Brute Force .NET 8 Rate Limiting
Data SQL Injection Parameterization + Least Privilege

🏁 Final Series Thoughts: Security is an Architecture

Security is not something added at the end of development.

It is an architectural decision made at the beginning of a project.

By implementing layered protections, your system becomes:

  • Resilient
  • Predictable
  • Maintainable
  • Production-ready
🛡️ Final Pro Tip Use ResponseWrapperMiddleware to catch SqlException. Never expose raw database errors such as: 
Table 'Users' not found
Instead:
  • Log detailed error information internally
  • Return a generic message to the client
Example message: 
An internal error occurred

Comments

Post a Comment

Popular posts from this blog

Promises in Angular

-
🚀 Promises in Angular – The Complete Beginner’s Guide (with Examples) 📘 Introduction In modern Angular development, handling asynchronous operations is essential. Whether you're fetching data from an API, loading files, or wrapping browser-native APIs, Promises offer a clean and readable way to deal with one-time asynchronous operations. This guide explains: What Promises are How they compare with Observables Real-world examples using .then() and async/await When to use Promises vs Observables in Angular 📚 Table of Contents 🔍 What is a Promise? 🔁 Promise Lifecycle ✨ Key Features 📌 Syntax 💻 Example 1: Fetch 💻 Example 2: setTimeout 📊 Promises vs Observables 🎯 When to Use Promises 📦 Angular Service Example 🔄 Observable vs Promise ❓ FAQ ✅ Summary 🔍 What is a Promise? A Promise is a JavaScript object that represents the eventual success (fulfilled) or failure (rejected) of an asynchronous operation. 📌 Com...
Read more

Debouncing & Throttling in RxJS: Optimizing API Calls and User Interactions

-
RxJS Debounce vs Throttle in Angular – Best Practices & Examples What is RxJS — quick primer RxJS (Reactive Extensions for JavaScript) provides Observables and operators to model and manipulate streams of asynchronous events — from keystrokes and HTTP requests to timers and WebSocket messages. 💡 Why this matters: Operators like debounceTime and throttleTime help you control event frequency, reducing wasted CPU and network work while improving UX. 1. Debouncing — emit after silence Debouncing delays emitting a value until a specified period of inactivity. It's best for typeahead inputs where only the final value after the user stops typing is relevant. Live search example (production-ready) // search.component.ts import { Component, OnDestroy } from '@angular/core'; import { FormControl } from '@angular/forms'; import { Subject } from 'rxjs'; import { debounc...
Read more

Comprehensive Guide to C# and .NET Core OOP Concepts and Language Features

-
Comprehensive Guide to C# and .NET Core OOP Concepts Class A class is a blueprint for creating objects that encapsulate both data and behavior. Access Modifiers : public, internal, abstract, sealed control visibility and inheritance. Static Classes : Cannot be instantiated, contain only static members. Partial Classes : Split across files using partial keyword for better organization. public class Car { public string Model; public void Drive() => Console.WriteLine($"{Model} is driving."); } Analogy: A car blueprint used to build many actual cars. Benefits: Reusability, Encapsulation, Abstraction, Inheritance Object An object is an instance of a class. Managed by Garbage Collector for automatic memory cleanup. Boxing/Unboxing allows value types to be treated a...
Read more