I am currently developing a website with asp.net as a front end and SQL server as back-end. I want to avoid SQL injection in my application. For this I wanted to know all possible kind of SQL injection that can attack and harm my database. Please help me to get the right information to build website that is more robust and rigid in terms of security.
Always use parameters for sql commands. That will block sql injection from occuring.
SqlCommand sqlCmd = new SqlCommand(“insert into table (column) VALUES (@val)”,con);
sqlCmd.Parameters.AddWithValue(“@val”,“value to insert”);
Or just use an ORM. Such as linq 2 sql or nHibernate
try to change the single quote character (') into this (`) but I don’t know how reliable that is.
You do not need to do that when using parameters. You can just use the '. If you are not going to use parameters, you must do this:
str = str.Replace(“'”,“‘’”);
But, i would definitely rather us parameters as its a lot safer.
Merry christmas
I developed a quick tool that basically crawls a website looking for links. The tool then injects an SQL INSERT statement into each URL parameter. This statement attempts to add a new record (containng the full URL and URL parameter that the injection was attempted on) into a manually created table called SQL_INJECTION_RESULTS.
Once the tool has run, any records in SQL_INJECTION_RESULTS are sucessfull injection attempts that need work.
Its crude but it works.
Alternatively, you could look at some of the SQL injection testing software available.
I have attended virtual class training. The CBT training have not much given on coding side but have explained us how SQL injection can play foil play.
User enters search criteria =‘sam’
SELECT col1, col2
FROM table
WHERE field = ‘sam’
Output is as expected
Exploit rule-SQL injection, user enters sam’ OR ‘x’='x
SELECT col1,col2
FROM table
WHERE field = ‘sam’ OR ‘x’=‘x’
Failure-Hacked
Always use parameters for sql commands(i always use the storeprocedure);
and do not use the link of sql string which is dangerous