A SQL Injection attack is a form of attack that comes from user input that has not been checked to see that it is valid. The objective is to fool the database system into running malicious code that will reveal sensitive information or otherwise compromise the server.
aspx page
<form id="form1" runat="server">
<div>
<asp:TextBox ID="txtsearch" runat="server"></asp:TextBox>
<asp:Button ID="btnSearch" runat="server"
OnClick="btnSearch_Click" Text="Search" />
</div>
<asp:GridView ID="grdRecords" runat="server"
CellPadding="4" ForeColor="#333333"
GridLines="None" Height="150px"
OnSelectedIndexChanged="grdRecords_SelectedIndexChanged"
Width="350px">
<RowStyle BackColor="#FFFBD6" ForeColor="#333333" />
<FooterStyle BackColor="#990000" Font-Bold="True" ForeColor="White" />
<PagerStyle BackColor="#FFCC66" ForeColor="#333333"
HorizontalAlign="Center" />
<SelectedRowStyle BackColor="#FFCC66" Font-Bold="True" ForeColor="Navy" />
<HeaderStyle BackColor="MediumPurple" Font-Bold="True" ForeColor="White" />
</asp:GridView>
</form>
aspx.cs page
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;
using System.Web.Configuration;
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void showData(String strssearch)
{
String strcon = WebConfigurationManager.ConnectionStrings["dbMasterConnectionString"].ConnectionString;
SqlConnection con = new SqlConnection(strcon);
String tsql = "select * from ContactUs where name = '" + strssearch + "'";
SqlCommand cmd = new SqlCommand(tsql, con);
con.Open();
SqlDataReader reader = cmd.ExecuteReader();
grdRecords.DataSource = reader;
grdRecords.DataBind();
reader.Close();
con.Close();
}
protected void grdRecords_SelectedIndexChanged(object sender, EventArgs e)
{
}
protected void btnSearch_Click(object sender, EventArgs e)
{
showData(txtsearch.Text);
}
}
Create Sql Table and Insert some records in it
Create table ContactUs
(
name nvarchar(50) not null,
email nvarchar(128) not null,
msgSubject nvarchar(50) not null,
msgComment nvarchar(100) not null
)
And when we run the application, it would show you something like this :
But when we run this application with the following text :- "a 'OR' 0 '=' 0" this is a part of sql injection.It would show something like this :
Prevent from Sql Injection Attacks :-
Never trust user input - Validate all textbox entries using validation controls, regular expressions, code, and so on
Never use dynamic SQL - Use parameterized SQL or stored procedures
Never connect to a database using an admin-level account - Use a limited access account to connect to the database
Don't store secrets in plain text - Encrypt or hash passwords and other sensitive data; you should also encrypt connection strings
Exceptions should give minimal information - Don't reveal too much information in error messages; use customErrors to display minimal information in the event of unhandled error; set debug to false
That’s it!!…..Happy Programming...
Why 0=0, can we enter anything else in it?
ReplyDelete