Get Help:Ask a Question in our Forums|Report a Bug|More Help Resources
Last post Dec 19, 2012 05:53 PM by Mikesdotnetting
Dec 10, 2012 02:33 AM|LINK
Hello everyone. I have heard about sql injection a lot. I am not an expert but from the basics that i know thsi query seems to be sql injection proof. I still doubt though. What do you think? (BTW i know how to use parameters, i am just curious)
Thanks in advance!
sqlcommand cmd=new sqlcommand("Select password FROM users WHERE username='"+username+"'",conn);
if(pass==password.text && password.text!="")
//do something here
Dec 10, 2012 02:42 AM|LINK
I've done more work with ColdFusion than .net, but I have successully managed to inject sql and have it execute with sql server. I encourage you to try it yourself.
Put a semicolon and an sql command at the end of various input scenarios. See what happens.
By the way, security is not the only the reason why query parameters are good. In fact, it's not even the best reason. Run your command with a username of O'Brian and see how well it works.
Dec 10, 2012 02:53 AM|LINK
Hello Dan Bracuk
Thanks for the quick reply. I just tried O'Brian and suprisingly it just said "wrong password".
Dec 10, 2012 03:09 AM|LINK
sqlcommand cmd=new sqlcommand("Select * FROM users WHERE username='" + username.text + "' and password = '" + password.text + "'",conn);
Dec 10, 2012 03:22 AM|LINK
Dec 10, 2012 05:20 AM|LINK
from the basics that i know thsi query seems to be sql injection proof.
No it's not. If the user puts SQL into the username textbox, it will be executed. The ONLY way to guarantee protection against injection is to use parameters.
Dec 10, 2012 03:06 PM|LINK
Your answer makes sense. I get what you mean. But can sql execute 2 queries at the same time? I mean what query can you add to do some harm?
Dec 10, 2012 03:18 PM|LINK
what query can you add to do some harm?
this link you can download an interesting paper over SQL injection with many examples of SQL code attacks.
Dec 10, 2012 07:32 PM|LINK
Try putting this into the username textbox:
'Drop table users--
Dec 11, 2012 02:11 PM|LINK
Oned's approach above is not hackable if you just pass the username and password through a function that replaces all single quotes with double quotes (I hope). If someone enters a value like:
blabla'; malicious sql code here
the doubled quote makes it seem still like one giant string to the query engine, and the malicious code is not executed as a separate query. If that is not true, I would love to see examples of how it could be defeated.
You can also do simple things like use a RegExp to scrub out all non-alphanumeric characters (assuming your usernames and passwords are restricted to alphanumeric); and also truncate the strings to your app's maximum allowed password size so if someone trhows
a biblical-length sql attack at you, it just disappears.