My team currently uses ASP.NET with MS SQL Server for our software. Security has only become important since I started, in which there is injection vulnerabilities everywhere.
Due to current integration with Oracle and MS SQL the business decision was never to use parameterized queries. This of course has been an issue.
Implementing Find and replace along with whitelisting of parameters has reduced this issue strongly.
My only issue is, I have read a lot about unicode and other encodings being the cause of sql injection. I dont quite understand this. Currently we sanitise everything like this:
Const pattern As String = "^[a-zA-Z0-9.=,:\s\\\/\']*$"
term = term.Replace("'", "''")
If Not Tools.ValidString(term, pattern) Then
term = String.Empty
End If
Public Shared Function ValidString(ByVal source As String, ByVal pattern As String) As Boolean
If source = String.Empty Then Return True
Dim params As Text.RegularExpressions.RegexOptions = Text.RegularExpressions.RegexOptions.None
Dim regex As New Text.RegularExpressions.Regex(pattern, params)
Dim match As Text.RegularExpressions.Match = regex.Match(source, pattern, params)
Return match.Success
End Function
Does anyone have an example where unicode/encoded injection could be used, or just a plain example where this regular expression would fail to prevent sql injection.
Thanks
EDIT:
There is no compliance required for the data we store. But still we would like to prevent injection. Parameterised queries are not an option and would require years of work with the little resources we have and the size of the CMS we have developed. We have a couple of clients with oracle DB's using our CMS for internal work (not exposed to public) and that is why there was no parameterised queries form the start.