VB.NET Security

VB.NET security practices for SQL injection prevention, data protection, and input validation

Visual Basic .NET

Security

Use in Builder All Visual Basic .NET Options

Details

Language / Topic

Visual Basic .NET

Rules

VB.NET Security · balanced balanced

- Always use parameterized queries: `cmd.CommandText = "SELECT * FROM Users WHERE Id = @id"; cmd.Parameters.AddWithValue("@id", userId)` — never concatenate user input into SQL strings.

- Use `System.Security.Cryptography.RandomNumberGenerator` for cryptographic randomness — never use `System.Random` for security tokens, salts, or session IDs.

- Use `SecureString` to hold passwords and secrets in memory — clear it with `Dispose()` immediately after use to minimize the exposure window.

- Use `Microsoft.AspNetCore.DataProtection` (`IDataProtector`) for encrypting sensitive data at rest — never implement custom encryption with raw AES without proper key management.

- Validate and sanitize all input at the boundary: check lengths, allowed character sets, and format before processing — use `System.ComponentModel.DataAnnotations` for model-level validation.

- Use `HttpOnly` and `Secure` cookie flags for session cookies: `New CookieOptions() With { .HttpOnly = True, .Secure = True, .SameSite = SameSiteMode.Strict }`.

- Store connection strings and API keys in environment variables or `Secret Manager` — never commit credentials to `appsettings.json` or source control.