Quick fix to prevent database from SQL Injection:-
I can help you to solve your problem, Click here to contact me
if you have a big website and you need a quick fix to overcome this problem, you can apply trigger. , Using this trigger , there will be no sql query wll execute that contains any vulnerability like
Using this Trigger, we can prevent some keywords like "Script", "title" as normally used in these tyepe of SQl Injections. You can add any other keywords also the below stored procedure. This Procedure will work on 'char','nchar','nvarchar','varchar
create TRIGGER [dbo].[SQlInjection_tblLeadsExtra] ON [dbo].[tblLeadsExtra]
FOR INSERT,UPDATE
AS
SET NOCOUNT ON;
DECLARE @index INT
DECLARE @columnName VARCHAR(2000)
DECLARE @IntNo INT
DECLARE @ins VARCHAR(200)
set @ins = '#inserted'
select * into #inserted from inserted
CREATE TABLE #TEMP1(TOTAL INT)
DECLARE col_cursor CURSOR FOR select COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME = 'tblLeadsExtra' AND DATA_TYPE IN ('char','nchar','nvarchar','varchar')
OPEN col_cursor
FETCH NEXT FROM col_cursor INTO @columnName
WHILE (@@FETCH_STATUS=0)
BEGIN
--exec ('select [@IntNo]=count(*) FROM ['+ @ins +'] where ['+@columnName+'] like ''%<script%''')
exec ('INSERT INTO #TEMP1 select count(*) AS TOTAL FROM ['+ @ins +'] where ['+@columnName+'] like ''%<script%'' OR ['+@columnName+'] like ''%.js%'' OR ['+@columnName+'] like ''%<script%'' OR ['+@columnName+'] like ''%</title%'' OR ['+@columnName+'] like ''%</title%'' ')
SELECT @IntNo=TOTAL FROM #TEMP1
DELETE FROM #TEMP1
if (@IntNo >0)
begin
PRINT 'Transaction has been cancelled'
RAISERROR ('Invalid Data found', 16, 1)
ROLLBACK
RETURN
end
FETCH NEXT FROM col_cursor INTO @columnName
end
CLOSE col_cursor
deallocate col_cursor
I can help you to solve your problem, Click here to contact me
if you have a big website and you need a quick fix to overcome this problem, you can apply trigger. , Using this trigger , there will be no sql query wll execute that contains any vulnerability like
Using this Trigger, we can prevent some keywords like "Script", "title" as normally used in these tyepe of SQl Injections. You can add any other keywords also the below stored procedure. This Procedure will work on 'char','nchar','nvarchar','varchar
create TRIGGER [dbo].[SQlInjection_tblLeadsExtra] ON [dbo].[tblLeadsExtra]
FOR INSERT,UPDATE
AS
SET NOCOUNT ON;
DECLARE @index INT
DECLARE @columnName VARCHAR(2000)
DECLARE @IntNo INT
DECLARE @ins VARCHAR(200)
set @ins = '#inserted'
select * into #inserted from inserted
CREATE TABLE #TEMP1(TOTAL INT)
DECLARE col_cursor CURSOR FOR select COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS
WHERE TABLE_NAME = 'tblLeadsExtra' AND DATA_TYPE IN ('char','nchar','nvarchar','varchar')
OPEN col_cursor
FETCH NEXT FROM col_cursor INTO @columnName
WHILE (@@FETCH_STATUS=0)
BEGIN
--exec ('select [@IntNo]=count(*) FROM ['+ @ins +'] where ['+@columnName+'] like ''%<script%''')
exec ('INSERT INTO #TEMP1 select count(*) AS TOTAL FROM ['+ @ins +'] where ['+@columnName+'] like ''%<script%'' OR ['+@columnName+'] like ''%.js%'' OR ['+@columnName+'] like ''%<script%'' OR ['+@columnName+'] like ''%</title%'' OR ['+@columnName+'] like ''%</title%'' ')
SELECT @IntNo=TOTAL FROM #TEMP1
DELETE FROM #TEMP1
if (@IntNo >0)
begin
PRINT 'Transaction has been cancelled'
RAISERROR ('Invalid Data found', 16, 1)
ROLLBACK
RETURN
end
FETCH NEXT FROM col_cursor INTO @columnName
end
CLOSE col_cursor
deallocate col_cursor