c# - How to handle the SQL injection response for best practice -


we using web security scanner found out 1 of web page has bind sqli. scanner modified parameter "news.aspx?id=123" "news.aspx?i=123' or 1=1--", , web server responses news information id=1 information currently.

after investigation development team, said there's no injection cannot access database has blocked .net built-in api sql parameter, , back-end program auto return data of id=1 information client side.

may know can identified false positive, or better redirect generic error pages? or enough , acceptable current stage?

the back-end program auto return data of id=1 information client side.

imo, lame behavior backend. i'd page should detect error , redirect user error page. nevertheless, based on description not valid injection, if business can accept behavior, false positive.

p.s. while isn't sql injection, potentially information disclosure bug if it's possible page display data id=1 , user of page shouldn't have access particular record.


Comments

Popular posts from this blog

c++ - Difference between pre and post decrement in recursive function argument -

php - Nothing but 'run(); ' when browsing to my local project, how do I fix this? -

php - How can I echo out this array? -