A SQL Injection attack is an attack mechanisms used by hackers to steal sensitive information from database of an organization. It is the application layer means front-end attack which takes benefit of inappropriate coding of our applications that allows hacker to insert SQL commands into your code that is using sql statement.
SQL Injection arises since the fields available for user input allow SQL statements to pass through and query the database directly.
SQL Injection: A Simple Example
For explaining this issue, Let's create a table "tbluser" for describing the SQL Injection Attack.
Create table tbluser ( userName varchar(50) primary key, userpwd varchar(50), address varchar(100) ) insert into tbluser(userName,userpwd,address)values('firstname.lastname@example.org','123456','Delhi'); insert into tbluser(userName,userpwd,address)values('email@example.com','123456','Noida'); insert into tbluser(userName,userpwd,address)values('firstname.lastname@example.org','123456','Gurgaon'); insert into tbluser(userName,userpwd,address)values('email@example.com','123456','Delhi'); select * from tbluser
Now let’s look at the following query string in Asp.net. In this we are passing username from TextBox "txtUserID" and userpwd from TextBox "txtpwd" to check user credential.
"SELECT * FROM tbluser WHERE userName = '"+ txtUserID.text +"' and userpwd = '"+ txtPwd.text +"'";
Now hacker will pass the following input to TextBoxes to inject sql attack. What will happen when the below data goes as input?
"SELECT * FROM tbluser WHERE userName = ';Drop table tblusers --' and userpwd = '123'";
Semicolon ; in above statement will terminate the current sql. So, "SELECT * FROM tbluser WHERE UserID = ''" will become a separate statement and after Semi Colon ; it will starts a new sql statement "Drop table tblusers" that will drop our table tbluser. Hence your user details table has been dropped and your database will be unmanaged.
Solution for SQL Injection Attack
In C# or VB.Net during building a SQL Statement, use the SqlParameter to define the Parameter Name, type, and value instead of making a straight command like as above
In Asp.Net query specify that CommandType as Text or Stored Procedure.
When we use Parameters Collection, we should use parameters the type and size will also be mention.
If we use stored procedure, instead of directly building by using Exec command, use sp_executesql command.
Another way to stop SQL injection attacks is to filter the user input for SQL characters. Use the REPLACE function to replace any apostrophe (single quotation mark to SQL) with an additional apostrophe. Within a SQL string, two consecutive single quotation marks are treated as an instance of the apostrophe character within the string.
In this article I try to explain Sql Injection attack. I hope after reading this article will be aware of Sql Injection attack. I would like to have feedback from my blog readers. Please post your feedback, question, or comments about this article.