Larry Steinle

March 14, 2011

Strategies to Reduce the Risk of Code Injection Attacks

Filed under: Security,VS.Net,Web — Larry Steinle @ 12:22 am

In 2007 Symantec reported that 80% of web hacks utilized a variant of the cross-site attack. Hackers use a cross-site attack to run their own code in another website that is trusted by the unsuspecting user. The cross-site attack is a type of code injection attack. In today’s post we will review the various types of code injection attacks and discuss multiple strategies to mitigate the risk of unintentionally becoming the host for the attack or the target of the attack.


February 28, 2011

Active Directory Data Access Layer

Filed under: Active Directory,VS.Net,Web — Larry Steinle @ 1:27 pm
Tags: , , ,

In the previous post, Reading Data in Active Directory, we learned how to query Active Directory using OLEDB and .Net Directory Services. We learned that the OLEDB option is simple but has two big restrictions: we are limited to 1,000 objects in a search and we are restricted to single-valued attributes. We also learned how to get past those limitations using Directory Services.

In today’s post we begin our journey to create a data access layer for Active Directory that allows us to query Active Directory using a SQL-like syntax without the paging limit and without the single-valued restriction. Best of all this new data access layer will make it easier to integrate Active Directory management into all of our VS.Net products. When we are done we will use our new Active Directory Data Access Provider to easily construct our own custom, Active Directory Query Analyzer web page.


February 20, 2011

Use Regular Expressions to Detect SQL Code Injection

Filed under: RegEx,Security,SQL Server,VS.Net,Web — Larry Steinle @ 12:26 am
Tags: , ,
To gain unauthorized access and possibly control of another companies information hackers employ a technique called SQL Code Injection. This simple technique involves entering a sql statement inside a text box and submitting the request. When the server processes the page it can be tricked into executing the injected code. The best strategy to block SQL Code Injection is to use a stored procedure. For the times when you simply must use inline sql statements we will learn how to detect and block SQL Code Injection with the help of a few, simple, regular expressions.


« Previous Page

Blog at