Home Asp.net SQL Injections: What is SQL Injection and How to Prevent it?

SQL Injections: What is SQL Injection and How to Prevent it?

15
0

Here, in this tutorial, I’ll explain what SQL injection is and how to prevent it from SQL hackers with simple login test examples in asp.net, c#, vb.net.

You can also check out my other tutorials where I’d explained about SQL defination and how to get connection string in asp.net, insert update and delete on asp.net gridview  Also, more amazing tutorials on GridView, Asp.net, SQL Server here.

What is SQL Injection Attack?

This is a technique of “insertion” or “injection” of a SQL queries via webpage or webform input controls. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input to affect the execution of predefined SQL commands. It means altering SQL commands into SQL statements, and modifies database tables or data with using SQL Statements like Insert, Update or Delete.

How SQL Injection Attack Works?

Let’s say you have one login form containing UserName input in that. Generally, we enter UserName as John, Mack etc as you can see in this example statement:

–Sample SELECT Query without SQL Injection that will not work
SELECT * FROM UserDetails WHERE UserName=’Mack’;

But some malicious users or hackers can inject SQL commands into an SQL statement, via webpage input. Now check the following statement:

–Sample SELECT Query without SQL Injection that will not work
SELECT * FROM UserDetails WHERE UserName=’Mack’ or ‘1’=’1′;

See the image below, you’ll understand what I meant to say.

SQL Injections: What is SQL Injection and How to Prevent it?

As you can see the WHERE clause, I’ve added UserName=’Mack’ or ‘1’=’1′, that means I added sql injection that can inject SQL command into an SQL statement.

Now the question is what is ‘1’=’1′ in that statement?

‘1’=’1′ is a Boolean condition added with sql statement, results your sql statement becomes always true. Check both statements; you’ll surely understand what it stands for. 😉

How to Prevent SQL Injection Attack?

For security reason we need to prevent the website from SQL Injections.

But the question is how?
.
I would say, by using Parameterized SQL Statements..
.
Yes, we can use parameters in sql query like SELECT * FROM UserDetails WHERE UserName=@UserName; and pass @UserName parameter value as cmd.Parameters.Add(“@UserName”, ‘aspneto’). I’ll show you an example for the same below.

Here is how your simple sql statement looks:

cmd.CommandText = “SELECT * FROM UserDetails WHERE UserName='” + txtUserName.Text + “‘”;

And following is the Parameterized sql query:

cmd.CommandText = “SELECT * FROM UserDetails WHERE UserName=@UserName”;
cmd.Parameters.AddWithValue(“@UserName”, txtUserName.Text);
Note: There are many other ways to do SQL injections, but I cover a simple and easy way to understand the concept of SQL Injections. I have only described the way to access login, but hackers may damage your database, drop tables by simply appending SQL statements via input.

Don’t underestimate the power of the hackers. They can guess your usernames, passwords or even database table names and perform injections. So best practice is to use prefix before your database tables like “xyz_UserDetails” and most importantly use parameterized queries instead of simple statements.

Now, it’s up to you, what you prefer most, that is your website security or SQL injections? 😉

Download Example

[wpdm_file id=26]

Git Repo

LEAVE A REPLY

Please enter your comment!
Please enter your name here
Captcha verification failed!
CAPTCHA user score failed. Please contact us!