Please enable Javascript to correctly display the contents on Dot Net Tricks!

SQL Injection Attacks

  Authors : Shailendra Chauhan
Updated On : 25 Sep 2012
Total Views : 117,046   
Support : SQL Server 2005,2008,2012

A SQL Injection attack is an attack mechanisms used by hackers to steal sensitive information from database of an organization. It is the application layer means front-end attack which takes benefit of inappropriate coding of our applications that allows hacker to insert SQL commands into your code that is using sql statement.

SQL Injection arises since the fields available for user input allow SQL statements to pass through and query the database directly.

SQL Injection: A Simple Example

For explaining this issue, Let's create a table "tbluser" for describing the SQL Injection Attack.

 Create table tbluser
 userName varchar(50) primary key,
 userpwd varchar(50),
 address varchar(100)
insert into tbluser(userName,userpwd,address)values('','123456','Delhi');
insert into tbluser(userName,userpwd,address)values('','123456','Noida');
insert into tbluser(userName,userpwd,address)values('','123456','Gurgaon');
insert into tbluser(userName,userpwd,address)values('','123456','Delhi');
select * from tbluser 

Now let’s look at the following query string in In this we are passing username from TextBox "txtUserID" and userpwd from TextBox "txtpwd" to check user credential.

 "SELECT * FROM tbluser WHERE userName = '"+ txtUserID.text +"' and userpwd = '"+ txtPwd.text +"'"; 

Now hacker will pass the following input to TextBoxes to inject sql attack. What will happen when the below data goes as input?

 "SELECT * FROM tbluser WHERE userName = ';Drop table tblusers --' and userpwd = '123'"; 

Semicolon ; in above statement will terminate the current sql. So, "SELECT * FROM tbluser WHERE UserID = ''" will become a separate statement and after Semi Colon ; it will starts a new sql statement "Drop table tblusers" that will drop our table tbluser. Hence your user details table has been dropped and your database will be unmanaged.

Solution for SQL Injection Attack

  1. In C# or VB.Net during building a SQL Statement, use the SqlParameter to define the Parameter Name, type, and value instead of making a straight command like as above

  2. In Asp.Net query specify that CommandType as Text or Stored Procedure.

  3. When we use Parameters Collection, we should use parameters the type and size will also be mention.

  4. If we use stored procedure, instead of directly building by using Exec command, use sp_executesql command.

  5. Another way to stop SQL injection attacks is to filter the user input for SQL characters. Use the REPLACE function to replace any apostrophe (single quotation mark to SQL) with an additional apostrophe. Within a SQL string, two consecutive single quotation marks are treated as an instance of the apostrophe character within the string.


In this article I try to explain Sql Injection attack. I hope after reading this article will be aware of Sql Injection attack. I would like to have feedback from my blog readers. Please post your feedback, question, or comments about this article.

Free Interview Books
13 NOV
MEAN Stack Development (offline)

Sat, Sun (11:00 AM-12:30 PM IST)

Know More
PPC Marketing (offline)

Sat, Sun 09:00 AM-10:30 AM IST

Know More
ASP.NET MVC with AngularJS Development (offline)

SAT,SUN 08:00 AM-09:30 AM

Know More
Spoken English & Personality Development (offline)

Sat,Sun 05:00 PM-06:30 PM IST

Know More
NodeJS Development (online)

MON-FRI 06:00 AM - 07:30 AM IST

Know More
AngularJS Development (online)

MON-FRI 08:00 PM-09:30 PM IST.

Know More
27 OCT
ASP.NET MVC with AngularJS Development (online)

MON-FRI     07:30 AM-09:00 AM IST

26 OCT
ASP.NET MVC with AngularJS Development (online)

Mon-Fri     07:30 AM-09:00 AM IST

25 OCT
.NET Development (offline)

Mon-Fri     9:00 AM-11:00 AM IST

24 OCT
MEAN Stack Development (online)

MON-FRI     06:00 AM -07:30 AM IST

12 OCT
ASP.NET MVC with AngularJS Development (online)

Mon-Fri     09:30 PM-11:00 PM IST

17 SEP
ASP.NET MVC with AngularJS Development (online)

Sat, Sun     03:00 PM-05:00 PM IST

17 SEP
ASP.NET MVC with AngularJS Development (offline)

SAT,SUN     05:00 PM-06:30 PM IST

NodeJS Development (offline)

Sat, Sun     11:00 AM-12:30 PM IST

24 JUL
PPC Marketing (offline)

Sat,Sun     03:00 PM-05:00 PM


Professional Speaks