How to Fix SQL Injection in ASP.NET
Learn how to prevent and fix SQL Injection vulnerabilities in ASP.NET applications. Step-by-step guide with code examples, security checklists, and best practices.
What Is SQL Injection?
SQL Injection is a code injection technique that exploits security vulnerabilities in an application's database layer. It occurs when user-supplied data is included in SQL queries without proper sanitization, allowing an attacker to manipulate the query's logic. An attacker can craft input that changes the intended SQL command, gaining unauthorized access to data.
The attack works by inserting (or "injecting") SQL fragments into input fields, URL parameters, cookies, or HTTP headers that are then incorporated into database queries. For example, a login form vulnerable to SQL injection might allow an attacker to bypass authentication by entering `' OR '1'='1` as a password. More sophisticated attacks can use UNION-based injection to extract data from other tables, blind injection to infer data one bit at a time, or stacked queries to execute arbitrary SQL commands.
While ORMs and query builders have reduced the prevalence of SQL injection, it remains common in applications that use raw queries, dynamic query construction, or improperly configured ORMs. Stored procedures are not immune either if they construct dynamic SQL internally.
Why It Matters
SQL Injection consistently ranks among the most dangerous web vulnerabilities because of its severe impact. A successful attack can lead to complete database compromise, allowing attackers to read all data including credentials, personal information, and financial records. Attackers can modify or delete data, causing data integrity issues and potential business disruption. In some database configurations, SQL injection can be escalated to operating system command execution, leading to full server compromise. The 2017 Equifax breach, which exposed 147 million records, was caused by a related injection vulnerability. For applications subject to regulations like GDPR or HIPAA, a SQL injection breach can result in millions of dollars in fines.
How to Fix It in ASP.NET
The most effective defense against SQL injection is using parameterized queries (also called prepared statements) for all database interactions. Never concatenate user input directly into SQL strings. Use your ORM's built-in query methods rather than raw SQL wherever possible. If raw queries are necessary, always use parameterized placeholders. Implement input validation using strict allowlists for expected data types and formats. Apply the principle of least privilege to database accounts -- the application should connect with minimal necessary permissions. Use a Web Application Firewall (WAF) as an additional layer. Regularly audit your codebase for raw query construction patterns.
ASP.NET-Specific Advice
- Razor syntax auto-encodes output by default. Never use `@Html.Raw()` with unsanitized user content.
- Use Entity Framework with LINQ queries or parameterized SQL. Never use string interpolation in `FromSqlRaw()` calls.
- ASP.NET includes anti-forgery token validation. Use `[ValidateAntiForgeryToken]` on all POST actions and include `@Html.AntiForgeryToken()` in forms.
- Use Data Annotations (`[Required]`, `[StringLength]`, `[RegularExpression]`) and `ModelState.IsValid` for input validation.
Code Examples
// DANGEROUS -- SQL injection
[HttpGet("users/{id}")]
public async Task<User> GetUser(string id) {
return await _context.Users
.FromSqlRaw($"SELECT * FROM Users WHERE Id = '{id}'")
.FirstOrDefaultAsync();
}// Option 1: LINQ (always safe)
[HttpGet("users/{id}")]
public async Task<User> GetUser(int id) {
return await _context.Users
.FirstOrDefaultAsync(u => u.Id == id);
}
// Option 2: Parameterized raw SQL
[HttpGet("users/{id}")]
public async Task<User> GetUser(int id) {
return await _context.Users
.FromSqlInterpolated($"SELECT * FROM Users WHERE Id = {id}")
.FirstOrDefaultAsync();
}ASP.NET Security Checklist for SQL Injection
ASP.NET Security Best Practices
Razor syntax auto-encodes output by default. Never use `@Html.Raw()` with unsanitized user content.
Use Entity Framework with LINQ queries or parameterized SQL. Never use string interpolation in `FromSqlRaw()` calls.
ASP.NET includes anti-forgery token validation. Use `[ValidateAntiForgeryToken]` on all POST actions and include `@Html.AntiForgeryToken()` in forms.
Use Data Annotations (`[Required]`, `[StringLength]`, `[RegularExpression]`) and `ModelState.IsValid` for input validation.
Use ASP.NET Identity for authentication with proper password hashing (PBKDF2 by default). Never implement custom password storage.
Configure HTTPS redirection and HSTS in `Program.cs`. Use `app.UseHttpsRedirection()` and `app.UseHsts()` in production.
Use `[Authorize]` attributes and policy-based authorization for route-level and action-level access control.
Implement rate limiting using ASP.NET Core's built-in `RateLimiter` middleware (available from .NET 7+).
Scan Your ASP.NET App with SafeVibe
Stop guessing if your ASP.NET app is vulnerable to SQL Injection. Run an automated penetration test in minutes and get actionable results.
Start Free Scan