Tuesday, 26 May 2015

What is SQL Injection and How do you Prevent it in Asp.net using C#

I explain what is sql injection attacks and how to prevent it in asp.net website with example and how to prevent SQL injection attacks in asp.net using c#
First design one table countrydetails in your database like as shown below

Column Name
Data Type
Allow Nulls
ID
Int(set identity property=true)
No
name
Varchar(50)
no
value
Int
no
Once we create table we need to enter some dummy data for our application purpose
Now in your Default.aspx page write the following code


<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>SQL Injection Attacks in Asp.net Website</title>
</head>
<body>
<form id="form1" runat="server">
<div>
Enter Count:<asp:TextBox ID="txtSearch" runat="server" />
<asp:Button ID="btnsearch" Text="Search" runat="server" onclick="btnsearch_Click" />
<br /><br />
<asp:GridView ID="gvDetails" CellPadding="5" runat="server">
<HeaderStyle BackColor="#df5015" Font-Bold="true" ForeColor="White" />
</asp:GridView>
</div>
</form>
</body>
</html>
After completion of aspx page write the following code in codebehind

C# Code



using System;
using System.Data;
using System.Data.SqlClient;

public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void btnsearch_Click(object sender, EventArgs e)
{
DataTable dt = new DataTable();
using (SqlConnection con = new SqlConnection("Data Source=SureshDasari;Integrated Security=true;Initial Catalog=MySampleDB"))
{
con.Open();
SqlCommand cmd = new SqlCommand("select Name,Total=value from countrydetails where value = "+txtSearch.Text+"", con);
SqlDataAdapter da = new SqlDataAdapter(cmd);
da.Fill(dt);
con.Close();
gvDetails.DataSource = dt;
gvDetails.DataBind();
}
}
}



Demo


SQL Injection Example

Now I will explain how to inject SQL in our queries from our webpage input.
First in our textbox enter text like “10 or 1=1” as shown below and check the below output

It returns all the rows from table because our textbox input value converts query as like as shown below


select Name,Total=value from countrydetails where value =10 or 1=1

In above query it will check for value =10 as well as it will check for 1=1 means always true that’s the reason it will returns all the values from table this way they can inject values to change our queries and access all the values from table.

In another case if user enters value like “10; Drop TABLE countrydetails” in it will drop table from our database because our query will changed like this


select Name,Total=value from countrydetails where value =10; Drop TABLE countrydetails
This way they can inject SQL and get all the details or delete data or drop tables.

To avoid these SQL injection attacks always we need to use parameterized queries like as shown below


select Name,Total=value from countrydetails where value =@value
Example of C# Code


DataTable dt = new DataTable();
using (SqlConnection con = new SqlConnection("Data Source=SureshDasari;Integrated Security=true;Initial Catalog=MySampleDB"))
{
con.Open();
SqlCommand cmd = new SqlCommand("select Name,Total=value from countrydetails where value =@value", con);
cmd.Parameters.AddWithValue("@value", txtSearch.Text);
SqlDataAdapter da = new SqlDataAdapter(cmd);
da.Fill(dt);
con.Close();
gvDetails.DataSource = dt;
gvDetails.DataBind();
}
Posted by at
Labels:

No comments :

Post a Comment

Subscribe to: Post Comments ( Atom )