Please enable Javascript to correctly display the contents on Dot Net Tricks!

SQL Injection Attacks

  Author : Shailendra Chauhan
Updated On : 25 Sep 2012
Total Views : 117,585   
Support : SQL Server 2005,2008,2012
 

A SQL Injection attack is an attack mechanisms used by hackers to steal sensitive information from database of an organization. It is the application layer means front-end attack which takes benefit of inappropriate coding of our applications that allows hacker to insert SQL commands into your code that is using sql statement.

SQL Injection arises since the fields available for user input allow SQL statements to pass through and query the database directly.

SQL Injection: A Simple Example

For explaining this issue, Let's create a table "tbluser" for describing the SQL Injection Attack.

 Create table tbluser
(
 userName varchar(50) primary key,
 userpwd varchar(50),
 address varchar(100)
 )
insert into tbluser(userName,userpwd,address)values('mohan@gmail.com','123456','Delhi');
insert into tbluser(userName,userpwd,address)values('shailendra@gmail.com','123456','Noida');
insert into tbluser(userName,userpwd,address)values('jitendra@gmail.com','123456','Gurgaon');
insert into tbluser(userName,userpwd,address)values('bipul@gmail.com','123456','Delhi');
select * from tbluser 

Now let’s look at the following query string in Asp.net. In this we are passing username from TextBox "txtUserID" and userpwd from TextBox "txtpwd" to check user credential.

 "SELECT * FROM tbluser WHERE userName = '"+ txtUserID.text +"' and userpwd = '"+ txtPwd.text +"'"; 

Now hacker will pass the following input to TextBoxes to inject sql attack. What will happen when the below data goes as input?

 "SELECT * FROM tbluser WHERE userName = ';Drop table tblusers --' and userpwd = '123'"; 

Semicolon ; in above statement will terminate the current sql. So, "SELECT * FROM tbluser WHERE UserID = ''" will become a separate statement and after Semi Colon ; it will starts a new sql statement "Drop table tblusers" that will drop our table tbluser. Hence your user details table has been dropped and your database will be unmanaged.

Solution for SQL Injection Attack

  1. In C# or VB.Net during building a SQL Statement, use the SqlParameter to define the Parameter Name, type, and value instead of making a straight command like as above

  2. In Asp.Net query specify that CommandType as Text or Stored Procedure.

  3. When we use Parameters Collection, we should use parameters the type and size will also be mention.

  4. If we use stored procedure, instead of directly building by using Exec command, use sp_executesql command.

  5. Another way to stop SQL injection attacks is to filter the user input for SQL characters. Use the REPLACE function to replace any apostrophe (single quotation mark to SQL) with an additional apostrophe. Within a SQL string, two consecutive single quotation marks are treated as an instance of the apostrophe character within the string.

Summary

In this article I try to explain Sql Injection attack. I hope after reading this article will be aware of Sql Injection attack. I would like to have feedback from my blog readers. Please post your feedback, question, or comments about this article.


YOU MIGHT LIKE
Free Interview Books
 
COMMENTS (0)
13 FEB
ASP.NET Core Development (online)

07:00 AM-09:00 AM IST( MON, WED, FRI)

Know More
25 JAN
Angular2 and Angular1 Development (online)

09:00 PM-10:30 PM IST(MON-FRI)

Know More
24 JAN
ASP.NET MVC with Angular2 Development (online)

07:00 AM-09:00 AM IST(Tuesday & Thursday)

Know More
20 JAN
NODEJS & MEAN Stack 2 Development (online)

09:00 PM-11:00 PM IST( MON, WED, FRI)

Know More
15 JAN
PPC Marketing (offline)

04:00 PM-05:300 PM

14 JAN
Xamarin Forms : Build Cross-platform Apps (offline)

05:00 PM-06:30 PM IST

10 JAN
ASP.NET MVC with AngularJS Development (online)

09:00 PM-11:00 PM IST on (TUE, THRU,SAT)

3 JAN
ASP.NET MVC with AngularJS Development (online)

07:00 AM-09:00 AM IST

31 DEC
ASP.NET MVC with AngularJS Development (offline)

09:30 AM-11:00 AM

31 DEC
Angular2 and Angular1 Development (offline)

11:00 AM-12:30 AM

26 NOV
ASP.NET MVC with AngularJS Development (offline)

03:00 PM-04:30 PM

5 NOV
ASP.NET MVC with AngularJS Development (offline)

08:00 AM-09:30 AM

4 SEP
MEAN Stack 2 Development (offline)

11:00 AM-12:30 PM.

BROWSE BY CATEGORY
 
RECENT ARTICLES
SUBSCRIBE TO LATEST NEWS
 
LIKE US ON FACEBOOK
 

Professional Speaks

+