User Input Remedies

As with all user input issues, the first rule is to determine which input is valid and to reject all other input. Other options exist and offer more functionality with potentially less security.

The following techniques reduce the threat of user input:

• Determine what is valid input and reject everything else.
• Use regular expressions.
• Display user input only after sanitizing it.
• Passwords are problematic: escape them using Server.URLEncode or HttpServerUtility.URLEncode.
• Never use the "sa" account to log on to SQL Server from any application. It defeats the least privilege principle.
• Do not construct SQL strings.
• Use placeholders or stored procedures.

This section contains:

• Input Testing Ideas
• Be Strict About Valid Input

Copyright © 2005 Microsoft Corporation.
All rights reserved.