ASP. NET development practices-best practices and technologies for building secure Microsoft ASP. NET Applications

1. login page

Dangerous code

 

Code

  Dim query As String = String.Format("SELECT username, password FROM userinfo WHERE username='{0}' AND password='{1}'", userName, passwd)
        Dim cmd As New SqlCommand(query, conn)

        conn.Open()
        Dim rdr As SqlDataReader = cmd.ExecuteReader()
        Try
            If rdr.HasRows() Then

Code improvement:

Code

  Dim cmd As New SqlCommand("select username, password from userinfo where username=@username and password=@passwd", conn)

        Dim param As SqlParameter = cmd.Parameters.Add("@username", SqlDbType.NVarChar, 30)
        param.Value = userName

        param = cmd.Parameters.Add("@passwd", SqlDbType.NVarChar, 30)
        param.Value = passwd

        conn.Open()
        Dim rdr As SqlDataReader = cmd.ExecuteReader()
        Dim ok As Boolean = False

        Try
            If rdr.HasRows() Then

Prevent JavaScript code attacks:

 

  Msg.Text = String.Format("Invalid Logon for {0}, please try again", Server.HtmlEncode(userName))