SQL Injections-Unexpectedly Dangerous. What?How?

Posted on June 1st, 2008.

Not all the user inputs are safe. Some of the inputs can be very hazardous to your website because it can lead to SQL injections.
SQL injections are those scripts/queries formed by the concatenation of dynamic sql queries you write and the input users give.
lets take an example to be clear on it. Suppose you have written following scripts for your application:
Dim empID as String
Dim SqlQuery as String

empID = Request.QueryString(”emp_id”)
SqlQuery=”SELECT emp_Name FROM employee WHERE emp_id= ‘ ” + empID + “ ‘ “
Now, if user clicks or inputs something to get the name of enployee, then he will get it. Like he can input the emp_id as 5 . But there’s no guarantee that all users will input just a number or what the programmer expects them to input. Just think what happens if any user unintentionally or a hacker intentionally inputs this :’ 5 ; DROP TABLE employee —‘ . What this does is it terminates the current statement with semicolon ( ; ) i.e, it terminates SELECT emp_name FROM employee WHERE emp_id=5 . And then another statement starts i.e, DROP TABLE employee . After that the ‘ — ‘ at last comments out everything after that.
This creates an SQL injection and can leave u completely breathless. Not only dropping the tables but hackers can even perform a join and retrieve all your data.
Now lets move into the solution for SQL injection.
1. Don’t use dynamic SQL statements. Even if you want to use , then use only with type-safe parameter encoding. Like done below

Dim empID AS String
Dim cmd AS New SqlCommand
Dim param AS New SqlParameter
empID=Request.QueryString ( “emp_id”)
cmd= “SELECT emp_Name FROM employee WHERE emp_id= @ empID
param((“empID”, SqlDbType.VarChar)
cmd.Parameters.Add(param)

2. Use stored procedures always as far as possible.
Conduct Security Review.

Make a Comment

Make A Comment: ( 8 so far )

blockquote and a tags work here.

8 Responses to “SQL Injections-Unexpectedly Dangerous. What?How?”

RSS Feed for Dreams will remain dreams until you stop dreaming and start working Comments RSS Feed

nice i liked it
but give more efforts
it looks impressive

sang
June 29th, 2008

Hi, interest post. I’ll write you later about few questions!

JaneRadriges
June 13th, 2009

Hi, interest post. I’ll write you later about few questions!

KattyBlackyard
June 15th, 2009

Hi. I like the way you write. Will you post some more articles?

GarykPatton
June 16th, 2009

Hi! I like your srticle and I would like very much to read some more information on this issue. Will you post some more?

KonstantinMiller
July 6th, 2009

Here you have a very merry

meeNryJorslom
September 3rd, 2009


MedicamentSpot.com. Canadian Health&Care.Special Internet Prices.No prescription online pharmacy.Best quality drugs. Online Pharmacy. Buy drugs online

Buy:Arimidex.Prevacid.Petcam (Metacam) Oral Suspension.Zovirax.Accutane.100% Pure Okinawan Coral Calcium.Valtrex.Synthroid.Mega Hoodia.Lumigan.Human Growth Hormone.Nexium.Actos.Retin-A.Zyban.Prednisolone….

RICHARD
July 22nd, 2010

vinyl http://ipioneer2dxk3.AWESOMEBABYCLOTHES.INFO/tag/vinyl+lamp+Wood/ : lamp…

lamp…

vinyl
August 30th, 2010

Where's The Comment Form?

About

Sharing my xperiences

RSS

Subscribe Via RSS

  • Subscribe with Bloglines
  • Add your feed to Newsburst from CNET News.com
  • Subscribe in Google Reader
  • Add to My Yahoo!
  • Subscribe in NewsGator Online
  • The latest comments to all posts in RSS
  • Subscribe in Rojo

Meta

Liked it here?
Why not try sites on the blogroll...