SQL injection is a technique
often used to attack a website. This is done by add attackers sql
queries in SQL statements in a web form entry field in an attempt to
get the website to pass a newly formed SQL command to the database
(e.g., dump the database contents to the attacker). SQL injection is a
code injection technique that exploits a security vulnerability in a
website's software. The vulnerability happens when user input is either
incorrectly filtered for string literal escape characters embedded in
SQL statements or user input is not strongly typed and unexpectedly
executed. SQL commands are thus injected from the web form into the
database of an application (like queries) to change the database content
or dump the database information like credit card or passwords to the
attacker.
Causes of SQl injection:
1) Un parameterised values to the SQL Queries
2) Inline queries as mostly used in scripting languages like classic asp or php
3) No validation checks on input fields
4) Incorrectly filtered escape characters
This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement. This results in the potential manipulation of the statements performed on the database by the end-user of the application.
The following line of code illustrates this vulnerability:
statement = "SELECT * FROM customers WHERE username = '" + infoa2z+ "';"
This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable as:
' or '1'='1
or using comments to even block the rest of the query (there are three types of SQL comments):[9]
' or '1'='1' -- '
' or '1'='1' ({ '
' or '1'='1' /* '
How to prevent SQl Injection:-
1) Pass parameterised values to the SQL Queries
2) Encode your input strings
3) Maximum try to use Stored Procedures
4) In case you are using ASP.Net then LINQ is the Best to fix this problem.
5) if you have a big website and you need a quick fix this problem, you can apply trigger. Click here to see the trigger, Using this trigger no sql query wll execure that contains any
vulnerability
6) Always apply check when get the values from querystrings and fix the length of querystring value.
7) When you are using inline queries the apply txtName.text.Replace("''", "'")
Causes of SQl injection:
1) Un parameterised values to the SQL Queries
2) Inline queries as mostly used in scripting languages like classic asp or php
3) No validation checks on input fields
4) Incorrectly filtered escape characters
This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement. This results in the potential manipulation of the statements performed on the database by the end-user of the application.
The following line of code illustrates this vulnerability:
statement = "SELECT * FROM customers WHERE username = '" + infoa2z+ "';"
This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable as:
' or '1'='1
or using comments to even block the rest of the query (there are three types of SQL comments):[9]
' or '1'='1' -- '
' or '1'='1' ({ '
' or '1'='1' /* '
How to prevent SQl Injection:-
1) Pass parameterised values to the SQL Queries
2) Encode your input strings
3) Maximum try to use Stored Procedures
4) In case you are using ASP.Net then LINQ is the Best to fix this problem.
5) if you have a big website and you need a quick fix this problem, you can apply trigger. Click here to see the trigger, Using this trigger no sql query wll execure that contains any
vulnerability
6) Always apply check when get the values from querystrings and fix the length of querystring value.
7) When you are using inline queries the apply txtName.text.Replace("''", "'")