🛡️ Security in .NET: Preventing SQL Injection

-

SQL Injection occurs when user input is treated as executable SQL code.

Instead of being interpreted as simple data, malicious input alters the structure of the SQL command itself.

⚠️ Example of a SQL Injection Attack

Consider the following vulnerable code: 

var query = "SELECT * FROM Users WHERE Id = " + userInput;

An attacker could provide input such as: 

1; DROP TABLE Products;

The resulting SQL command becomes: 

SELECT * FROM Users WHERE Id = 1; DROP TABLE Products;

Instead of retrieving a user record, the database executes two commands:

  • Fetch user data
  • Delete the entire Products table

This is SQL Injection.

1️⃣ The Golden Rule: Parameterization

The only reliable defense against SQL Injection is parameterization.

Parameterized queries separate:

  • SQL logic (command structure)
  • user input (data values)

When parameters are used, the database treats input strictly as literal values — never as executable SQL code.

2️⃣ Best Practices with Entity Framework Core

Entity Framework Core (EF Core) is secure by default when using LINQ queries.

However, vulnerabilities can occur when using raw SQL execution methods.

❌ Dangerous Approach: FromSqlRaw

Using string interpolation or concatenation inside FromSqlRaw can expose your application to SQL Injection. 

// DANGEROUS: vulnerable to SQL Injection

var user = context.Users
    .FromSqlRaw($"SELECT * FROM Users WHERE Email = '{userInput}'")
    .FirstOrDefault();

The input becomes part of the SQL command string.

✅ Secure Approach: FromSqlInterpolated

Use FromSqlInterpolated whenever dynamic input is required. 

// SAFE: EF Core automatically parameterizes input

var user = context.Users
    .FromSqlInterpolated(
        $"SELECT * FROM Users WHERE Email = {userInput}"
    )
    .FirstOrDefault();

Although the syntax looks like string interpolation, EF Core internally converts values into SQL parameters.

3️⃣ Best Practices with Dapper

Dapper is widely used for performance-critical applications.

Because Dapper executes raw SQL strings, developers must explicitly use parameters.

✅ Secure Dapper Example

var sql =
    "SELECT * FROM Products WHERE CategoryId = @CatId";

var products =
    connection.Query<Product>(
        sql,
        new { CatId = userInput }
    );

Dapper ensures that @CatId is treated as a parameterized value.

The SQL structure remains unchanged regardless of user input.

4️⃣ Least Privilege: The Database Safety Net

Even well-written code should not rely on full database permissions.

Follow the Principle of Least Privilege:

Permission Recommendation
SELECT Allowed
INSERT Allowed
UPDATE Allowed
DELETE Allowed
DROP Not allowed
ALTER Not allowed
TRUNCATE Not allowed

If an attacker discovers an injection vulnerability, restricted permissions prevent catastrophic schema damage.

📊 Complete .NET Security Stack

Threat Solution Layer
XSS HtmlSanitizer Input Layer
XSS / Data Leakage CSP Headers Browser Layer
DoS / Brute Force Rate Limiting Availability Layer
CSRF Antiforgery Tokens Request Layer
SQL Injection Parameterized Queries Data Layer

🏁 Final Series Thoughts: Security is an Architecture

Security is not a single feature — it is a layered system.

By combining:

  • Input sanitization
  • Secure headers
  • CSRF protection
  • Rate limiting
  • Parameterized queries

you significantly reduce the risk of common web application vulnerabilities.

🛡️ Final Pro Tip Never expose raw database errors to users. Use your ResponseWrapperMiddleware to catch exceptions such as: 
SqlException
Return a generic message: 
"An internal error occurred"
while logging full details securely in:
  • Serilog
  • Application Insights
  • ELK Stack

Comments

Post a Comment

Popular posts from this blog

Promises in Angular

-
🚀 Promises in Angular – The Complete Beginner’s Guide (with Examples) 📘 Introduction In modern Angular development, handling asynchronous operations is essential. Whether you're fetching data from an API, loading files, or wrapping browser-native APIs, Promises offer a clean and readable way to deal with one-time asynchronous operations. This guide explains: What Promises are How they compare with Observables Real-world examples using .then() and async/await When to use Promises vs Observables in Angular 📚 Table of Contents 🔍 What is a Promise? 🔁 Promise Lifecycle ✨ Key Features 📌 Syntax 💻 Example 1: Fetch 💻 Example 2: setTimeout 📊 Promises vs Observables 🎯 When to Use Promises 📦 Angular Service Example 🔄 Observable vs Promise ❓ FAQ ✅ Summary 🔍 What is a Promise? A Promise is a JavaScript object that represents the eventual success (fulfilled) or failure (rejected) of an asynchronous operation. 📌 Com...
Read more

Debouncing & Throttling in RxJS: Optimizing API Calls and User Interactions

-
RxJS Debounce vs Throttle in Angular – Best Practices & Examples What is RxJS — quick primer RxJS (Reactive Extensions for JavaScript) provides Observables and operators to model and manipulate streams of asynchronous events — from keystrokes and HTTP requests to timers and WebSocket messages. 💡 Why this matters: Operators like debounceTime and throttleTime help you control event frequency, reducing wasted CPU and network work while improving UX. 1. Debouncing — emit after silence Debouncing delays emitting a value until a specified period of inactivity. It's best for typeahead inputs where only the final value after the user stops typing is relevant. Live search example (production-ready) // search.component.ts import { Component, OnDestroy } from '@angular/core'; import { FormControl } from '@angular/forms'; import { Subject } from 'rxjs'; import { debounc...
Read more

Comprehensive Guide to C# and .NET Core OOP Concepts and Language Features

-
Comprehensive Guide to C# and .NET Core OOP Concepts Class A class is a blueprint for creating objects that encapsulate both data and behavior. Access Modifiers : public, internal, abstract, sealed control visibility and inheritance. Static Classes : Cannot be instantiated, contain only static members. Partial Classes : Split across files using partial keyword for better organization. public class Car { public string Model; public void Drive() => Console.WriteLine($"{Model} is driving."); } Analogy: A car blueprint used to build many actual cars. Benefits: Reusability, Encapsulation, Abstraction, Inheritance Object An object is an instance of a class. Managed by Garbage Collector for automatic memory cleanup. Boxing/Unboxing allows value types to be treated a...
Read more