Article Author : Tauseef Ahmad, Article Posted on : 9/17/2017, Article Category : Asp.net
Here i will explain what is SQL Injection Attack with an example,
What is SQL INJECTION ?
SQL injection, also known as SQLI, is a common attack that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.
This information may include any number of items, including sensitive company data, user lists or private customer details.
here i created a page (studentsearch page) as shown in screenshot.
The functionality of this form is very simple, you just enter the ID of student in textbox and click search student button to get the student record in gridview. when a record is matched with table row than you will get in gridview as shown in screen shot.
student search page html
Below is the code behind section for student search as shown in code.
The btnsearch_Click event handler has the required ADO.NET code to get data from the database. This code is highly susceptible to sql injection attack and dont use code like this in production environment. The second line in btnsearch_Click event handler, dynamically builds the sql query by concatenating the Student ID that we typed into the TextBox.
So, for example, if we had typed 32 into the Student ID textbox, we will have a SQL query as shown below.
Select * from student where Id=32
If a malicious user, types something like 32; Delete from student into the TextBox, then we will have a SQL query as shown below.
Select * from student where Id=32; Delete from student
When this query is executed, we loose all the data in the student table as shown in screenshot.
This is SQL Injection Attack, as the user of the application is able to inject SQL and get it executed against the database.
It is very easy to avoid SQL Injection attacks by using either parameterized queries or using stored procedures.
Create a store procedure to solve SQL Injection Attack, below is the store procedure code in SQL.
now modify the code behind code using store procedure parameter method rathar than query.
thats it, you can download the source code with database backup from the above link.
sql injection store procedure attack