Wednesday, April 10, 2013

Quick fix to prevent SQL Injection attach SQL Server, ASP.net ASP

Quick fix to prevent database from SQL Injection:-
I can help you to solve your problem, Click here to contact me

if you have a big website and you need a quick fix to overcome this problem, you can apply trigger. , Using this trigger , there will be no sql query wll execute that contains any vulnerability like

SQL-Server-Injection-Attack

Using this Trigger, we can prevent some keywords like "Script", "title" as normally used in these tyepe of SQl Injections. You can add any other keywords also the below stored procedure. This Procedure will work on 'char','nchar','nvarchar','varchar
create TRIGGER [dbo].[SQlInjection_tblLeadsExtra] ON [dbo].[tblLeadsExtra]
FOR INSERT,UPDATE

AS
    SET NOCOUNT ON;    
    DECLARE @index INT
    DECLARE @columnName VARCHAR(2000)  
    DECLARE @IntNo INT
    DECLARE @ins VARCHAR(200)     

    set @ins = '#inserted'
    select * into #inserted from inserted
     CREATE TABLE #TEMP1(TOTAL   INT)
     DECLARE col_cursor CURSOR FOR select  COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS
    WHERE  TABLE_NAME = 'tblLeadsExtra' AND DATA_TYPE IN ('char','nchar','nvarchar','varchar')
    
        OPEN col_cursor
     FETCH NEXT FROM col_cursor INTO @columnName
        WHILE (@@FETCH_STATUS=0)
           BEGIN  
        --exec ('select [@IntNo]=count(*) FROM ['+ @ins +'] where  ['+@columnName+'] like ''%<script%''')
        exec ('INSERT INTO #TEMP1  select count(*) AS TOTAL FROM ['+ @ins +'] where  ['+@columnName+'] like ''%<script%'' OR ['+@columnName+'] like ''%.js%'' OR ['+@columnName+'] like ''%&lt;script%'' OR ['+@columnName+'] like ''%&lt;/title%'' OR ['+@columnName+'] like ''%</title%'' ')

        SELECT @IntNo=TOTAL FROM #TEMP1
        DELETE FROM #TEMP1
                if (@IntNo >0)
          begin                             
                    PRINT 'Transaction has been cancelled'
                 RAISERROR ('Invalid Data found', 16, 1)
                ROLLBACK
                RETURN 
          end  
         FETCH NEXT FROM col_cursor INTO @columnName
             end

    CLOSE col_cursor
    deallocate col_cursor