Please enable Javascript to correctly display the contents on Dot Net Tricks!

SQL Injection Attacks

  Author : Shailendra Chauhan
Updated On : 25 Sep 2012
Total Views : 117,289   
Support : SQL Server 2005,2008,2012

A SQL Injection attack is an attack mechanisms used by hackers to steal sensitive information from database of an organization. It is the application layer means front-end attack which takes benefit of inappropriate coding of our applications that allows hacker to insert SQL commands into your code that is using sql statement.

SQL Injection arises since the fields available for user input allow SQL statements to pass through and query the database directly.

SQL Injection: A Simple Example

For explaining this issue, Let's create a table "tbluser" for describing the SQL Injection Attack.

 Create table tbluser
 userName varchar(50) primary key,
 userpwd varchar(50),
 address varchar(100)
insert into tbluser(userName,userpwd,address)values('','123456','Delhi');
insert into tbluser(userName,userpwd,address)values('','123456','Noida');
insert into tbluser(userName,userpwd,address)values('','123456','Gurgaon');
insert into tbluser(userName,userpwd,address)values('','123456','Delhi');
select * from tbluser 

Now let’s look at the following query string in In this we are passing username from TextBox "txtUserID" and userpwd from TextBox "txtpwd" to check user credential.

 "SELECT * FROM tbluser WHERE userName = '"+ txtUserID.text +"' and userpwd = '"+ txtPwd.text +"'"; 

Now hacker will pass the following input to TextBoxes to inject sql attack. What will happen when the below data goes as input?

 "SELECT * FROM tbluser WHERE userName = ';Drop table tblusers --' and userpwd = '123'"; 

Semicolon ; in above statement will terminate the current sql. So, "SELECT * FROM tbluser WHERE UserID = ''" will become a separate statement and after Semi Colon ; it will starts a new sql statement "Drop table tblusers" that will drop our table tbluser. Hence your user details table has been dropped and your database will be unmanaged.

Solution for SQL Injection Attack

  1. In C# or VB.Net during building a SQL Statement, use the SqlParameter to define the Parameter Name, type, and value instead of making a straight command like as above

  2. In Asp.Net query specify that CommandType as Text or Stored Procedure.

  3. When we use Parameters Collection, we should use parameters the type and size will also be mention.

  4. If we use stored procedure, instead of directly building by using Exec command, use sp_executesql command.

  5. Another way to stop SQL injection attacks is to filter the user input for SQL characters. Use the REPLACE function to replace any apostrophe (single quotation mark to SQL) with an additional apostrophe. Within a SQL string, two consecutive single quotation marks are treated as an instance of the apostrophe character within the string.


In this article I try to explain Sql Injection attack. I hope after reading this article will be aware of Sql Injection attack. I would like to have feedback from my blog readers. Please post your feedback, question, or comments about this article.

Free Interview Books
14 DEC
ASP.NET MVC with AngularJS Development (online)

MON-FRI 07:30 AM- 09:00 AM IST

Know More
AngularJS Development (online)

Mon - Fri     6:30 AM-7:30 AM IST

AngularJS Development (offline)

SAT,SUN     11:00 AM-12:30 PM IST

MEAN Stack Development (offline)

Sat, Sun     (09:30 AM-11:00 AM IST)

26 NOV
ASP.NET MVC with AngularJS Development (offline)

(SAT,SUN)     03:30 PM-05:00 PM IST

24 NOV
ASP.NET MVC with AngularJS Development (online)

MON-FRI     09:30 PM-11:00 PM IST

12 NOV
ASP.NET MVC with AngularJS Development (offline)

SAT,SUN     08:00 AM-09:30 AM

ASP.NET MVC with AngularJS Development (online)

MON-FRI     07:30 AM-09:00 AM IST

25 OCT
.NET Development (offline)

Mon-Fri     9:00 AM-11:00 AM IST


Professional Speaks