What is SQL Injection Attack


Article Author : Tauseef Ahmad, Article Posted on : 9/17/2017, Article Category : Asp.net


Download full source code here: What is SQL Injection Attack
please share this article to help others :

Here i will explain what is SQL Injection Attack with an example,

What is SQL INJECTION ?

SQL injection, also known as SQLI, is a common attack  that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.

This information may include any number of items, including sensitive company data, user lists or private customer details.

here i created a page (studentsearch page) as shown in screenshot.

 

 

Functionality:

The functionality of this form is very simple, you just enter the ID of student in textbox and click search student button to get the student record in gridview. when a record is matched with table row than you will get in gridview as shown in screen shot.

 

 

HTML Section:

student search page html

<%@ Page Language="C#" AutoEventWireup="true" CodeFile="studentsearch.aspx.cs" Inherits="studentsearch"%>
<!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
    <h1>Search Student by ID from SQL server using Asp.net</h1>
        Enter ID : <asp:TextBox ID="txtstudent" runat="server"></asp:TextBox>
        <asp:Button ID="btnsearch" Text="Search Student" runat="server" OnClick="btnsearch_Click" /> <br />

        <h3>Search Result</h3>
        <asp:GridView ID="gvStudent" runat="server"></asp:GridView>

</div>
    </form>
</body>
</html>

 

Below is the code behind section for student search as shown in code.

 

protected void btnsearch_Click(object sender, EventArgs e)
    {
        SqlConnection conn = new SqlConnection("server=localhost;database=TestDemoDB;integrated security=SSPI");
        SqlCommand cmd = new SqlCommand("select * from student where ID=" + txtstudent.Text, conn);
conn.Open();
        gvStudent.DataSource = cmd.ExecuteReader();
        gvStudent.DataBind();
        conn.Close();
    }

 

The btnsearch_Click event handler has the required ADO.NET code to get data from the database. This code is highly susceptible to sql injection attack and dont use code like this in production environment. The second line in btnsearch_Click event handler, dynamically builds the sql query by concatenating the Student ID that we typed into the TextBox

So, for example, if we had typed 32 into the Student ID textbox, we will have a SQL query as shown below.
Select * from student where Id=32

If a malicious user, types something like 32; Delete from student into the TextBox, then we will have a SQL query as shown below.
Select * from student where Id=32; Delete from student

When this query is executed, we loose all the data in the student table as shown in screenshot.

 

 

This is SQL Injection Attack, as the user of the application is able to inject SQL and get it executed against the database.

It is very easy to avoid SQL Injection attacks by using either parameterized queries or using stored procedures.

Create a store procedure to solve SQL Injection Attack, below is the store procedure code in SQL.

create procedure sp_GetStudentRecord
@ID int
as
begin
select * from student where ID=@ID
end

 

now modify the code behind code using store procedure parameter method rathar than query.

 

 protected void btnsearch_Click(object sender, EventArgs e)
    {
        SqlConnection conn = new SqlConnection("server=localhost;database=TestDemoDB;integrated security=SSPI");
        SqlCommand cmd = new SqlCommand("sp_GetStudentRecord", conn);
        // Create the SQL parameter object, specifying the name and the value 
        // we want to pass to the SP.
        SqlParameter paramId = new SqlParameter("@ID", txtstudent.Text);
        cmd.Parameters.Add(paramId);
        // Specify the command type as stored procedure. This tells the command 
        // object, that the command is a SQL stored procedure and not an adhoc sql query
        cmd.CommandType = CommandType.StoredProcedure;
        conn.Open();
        gvStudent.DataSource = cmd.ExecuteReader();
        gvStudent.DataBind();
        conn.Close();
    }

 

thats it, you can download the source code with database backup from the above link.



Related Article


Add your valuable Comments


Success! Comment added successfully.

Name is required

Email is a required field Invalid Email
Message is required

Comments


{{cmt.Item1}}


{{cmt.Item2}}

{{cmt.Item3.slice(0,9)}}


ADS

Tags:

sql injection store procedure attack