Code Like a Pro in C#: Secure Coding Practices

A long time ago, secure coding was something that we knew that exists but we left for the last story points in the project... but today, in the world of software development, writing secure code is like locking the front door of your house. You wouldn't leave it open, right? Unless, of course, you're asking the world to help themselves to your fridge, which, in the world of programming, would be equivalent to inviting hackers in. So, let's dive into some secure coding practices, sprinkled with programming examples and a few laughs!

1. Sanitize Input – The Old "Don't Trust Anyone" Rule

When it comes to input, assume everything is out to get you. The most innocent-looking data could be the equivalent of a Trojan horse.

// Before sanitizing: inviting trouble

string userInput = Console.ReadLine();

string query = "SELECT * FROM Users WHERE username = '" + userInput + "'"; 

// Congratulations, you just wrote an SQL Injection invitation!

// After sanitizing: showing you're the boss

string safeQuery = "SELECT * FROM Users WHERE username = @username";        

Joke: Why don't programmers trust their users? Because they always input bad data.

2. Use Parameterized Queries – Because Letting Strings in SQL is Risky Business

SQL injections are like that unexpected party guest who breaks your favorite lamp. Parameterized queries ensure the only people in your "database party" are the ones you invited.

// Bad code: You’ve got a party crasher!

string query = "SELECT * FROM Users WHERE UserID = '" + userInput + "'";

// Good code: SQL Injection? Not today!

SqlCommand command = new SqlCommand("SELECT * FROM Users WHERE UserID = @userID");

command.Parameters.AddWithValue("@userID", userInput);        

3. Validate All Data – No Free Passes Here

Even if you've sanitized input, don't skip validation! It's like making sure all passengers have a ticket before boarding the train. And trust me, you don't want that guy with no ticket sneaking in and messing up the system!

// Always validate!

if (userInput.Length < 1 || userInput.Length > 20)
{
    throw new ArgumentException("Invalid input length");
}        

Joke: How do hackers get away with so much? Because developers forgot to validate their alibi.

4. Use HTTPS – No One Likes Eavesdroppers

Sending data over HTTP is like sharing your darkest secrets over a megaphone in a crowded room. HTTPS is your whisper in a private corner.

// Avoid this: This is not a secure chat room!

HttpClient client = new HttpClient();

client.BaseAddress = new Uri("https://www.notsecure.com");

// Use this: Keep it on the down-low with HTTPS.

client.BaseAddress = new Uri("https://www.securewebsite.com");        

5. Keep Secrets… Secret

Putting sensitive information in your code is like taping your house keys to the front door. Sure, it's easy to find – for everyone.

// Not secure! Might as well post your password on a billboard

string connectionString = "Server=myServer;Database=myDB;User=myUser;Password=mySecretPassword";

// Better! Keep those secrets hidden

// Use a secure vault or environment variables        

Joke: How do programmers tell their secrets? They don't – unless it's in plaintext inside their code.

6. Handle Exceptions Like a Pro

Leaving exception messages visible to the user is like handing them a treasure map to your vulnerabilities. Always be mindful of what information you’re giving away!

// Oops! This reveals way too much information.

try
{
    // some code here
}
catch (Exception ex)
{
    Console.WriteLine(ex.Message); // Don’t do this!
}

// Better: Catch and log without giving the game away.

catch (Exception)
{
    // Log exception internally, but don't give hackers any clues!
    Console.WriteLine("An error occurred. Please try again.");
}        

Conclusion

Coding securely doesn’t have to be boring, but it’s crucial. With the right practices and a bit of humor, you can ensure your code is strong enough to withstand attacks—because no one wants their app hacked faster than you can say “buffer overflow.”