Hello everyone. I have heard about sql injection a lot. I am not an expert but from the basics that i know thsi query seems to be sql injection proof. I still doubt though. What do you think? (BTW i know how to use parameters, i am just curious)
Thanks in advance!
string username=username.text;
sqldatareader reader;
sqlconnection conn=myconn;
sqlcommand cmd=new sqlcommand("Select password FROM users WHERE username='"+username+"'",conn);
I've done more work with ColdFusion than .net, but I have successully managed to inject sql and have it execute with sql server. I encourage you to try it yourself.
Put a semicolon and an sql command at the end of various input scenarios. See what happens.
By the way, security is not the only the reason why query parameters are good. In fact, it's not even the best reason. Run your command with a username of O'Brian and see how well it works.
Hey Oned. Thanks for the answer. I am aware of the way u just posted. Its very easy to hack that. My question is that how can u hack the way i use. I cant think of any inputs that can actually do some harm. Thanks in advance
from the basics that i know thsi query seems to be sql injection proof.
No it's not. If the user puts SQL into the username textbox, it will be executed. The ONLY way to guarantee protection against injection is to use parameters.
Oned's approach above is not hackable if you just pass the username and password through a function that replaces all single quotes with double quotes (I hope). If someone enters a value like:
blabla'; malicious sql code here
the doubled quote makes it seem still like one giant string to the query engine, and the malicious code is not executed as a separate query. If that is not true, I would love to see examples of how it could be defeated.
You can also do simple things like use a RegExp to scrub out all non-alphanumeric characters (assuming your usernames and passwords are restricted to alphanumeric); and also truncate the strings to your app's maximum allowed password size so if someone trhows
a biblical-length sql attack at you, it just disappears.
Ahmad Azizov
Member
117 Points
98 Posts
SQL Injection prevention
Dec 10, 2012 02:33 AM|LINK
Hello everyone. I have heard about sql injection a lot. I am not an expert but from the basics that i know thsi query seems to be sql injection proof. I still doubt though. What do you think? (BTW i know how to use parameters, i am just curious)
Thanks in advance!
string username=username.text;
sqldatareader reader;
sqlconnection conn=myconn;
sqlcommand cmd=new sqlcommand("Select password FROM users WHERE username='"+username+"'",conn);
conn.open();
reader=cmd.executereader();
while(reader.read())
{
string pass=reader["password"];
}
if(pass==password.text && password.text!="")
{
//do something here
}
Dan Bracuk
Contributor
3970 Points
1096 Posts
Re: SQL Injection prevention
Dec 10, 2012 02:42 AM|LINK
I've done more work with ColdFusion than .net, but I have successully managed to inject sql and have it execute with sql server. I encourage you to try it yourself.
Put a semicolon and an sql command at the end of various input scenarios. See what happens.
By the way, security is not the only the reason why query parameters are good. In fact, it's not even the best reason. Run your command with a username of O'Brian and see how well it works.
Ahmad Azizov
Member
117 Points
98 Posts
Re: SQL Injection prevention
Dec 10, 2012 02:53 AM|LINK
Hello Dan Bracuk
Thanks for the quick reply. I just tried O'Brian and suprisingly it just said "wrong password".
oned_gk
All-Star
31001 Points
6344 Posts
Re: SQL Injection prevention
Dec 10, 2012 03:09 AM|LINK
sqlcommand cmd=new sqlcommand("Select * FROM users WHERE username='" + username.text + "' and password = '" + password.text + "'",conn);
Ahmad Azizov
Member
117 Points
98 Posts
Re: SQL Injection prevention
Dec 10, 2012 03:22 AM|LINK
Mikesdotnett...
All-Star
154818 Points
19853 Posts
Moderator
MVP
Re: SQL Injection prevention
Dec 10, 2012 05:20 AM|LINK
No it's not. If the user puts SQL into the username textbox, it will be executed. The ONLY way to guarantee protection against injection is to use parameters.
Beginning ASP.NET Web Pages with WebMatrix | My Site | Twitter
Ahmad Azizov
Member
117 Points
98 Posts
Re: SQL Injection prevention
Dec 10, 2012 03:06 PM|LINK
Hi Mike,
Your answer makes sense. I get what you mean. But can sql execute 2 queries at the same time? I mean what query can you add to do some harm?
GmGregori
Contributor
5438 Points
730 Posts
Re: SQL Injection prevention
Dec 10, 2012 03:18 PM|LINK
At this link you can download an interesting paper over SQL injection with many examples of SQL code attacks.
Mikesdotnett...
All-Star
154818 Points
19853 Posts
Moderator
MVP
Re: SQL Injection prevention
Dec 10, 2012 07:32 PM|LINK
Try putting this into the username textbox:
'Drop table users--
Beginning ASP.NET Web Pages with WebMatrix | My Site | Twitter
cbhcmc
Member
34 Points
20 Posts
Re: SQL Injection prevention
Dec 11, 2012 02:11 PM|LINK
Oned's approach above is not hackable if you just pass the username and password through a function that replaces all single quotes with double quotes (I hope). If someone enters a value like:
blabla'; malicious sql code here
the doubled quote makes it seem still like one giant string to the query engine, and the malicious code is not executed as a separate query. If that is not true, I would love to see examples of how it could be defeated.
You can also do simple things like use a RegExp to scrub out all non-alphanumeric characters (assuming your usernames and passwords are restricted to alphanumeric); and also truncate the strings to your app's maximum allowed password size so if someone trhows a biblical-length sql attack at you, it just disappears.