Blog

on 2015-03-16 13:41:33

SQL Injection

  • SQL injection is a technique where malicious users can inject SQL commands into an SQL statement, via web page input.
  • Injected SQL commands can alter SQL statement and compromise the security of a web application.
  • SQL Injection Based on logical true conditions.
  • These attacks are possible only when the application executes dynamic SQL statements and procedures with arguments based on user input.
  • The escape characters are used to perform SQL injection attacks.
SQL Injection Attack Defensive Techniques There are 5 major defensive techniques used to prevent applications from SQL injection attacks 1. Use of parameterizes queries 2. Use of parameterizes stored procedure 3. Handle the special input characters by using escape routines 4. Least privilege 5. Constraining input SQL Injection Attack Example: publicpartialclass_Default : System.Web.UI.Page { SqlConnection con = newSqlConnection("Data Source=HP\\SQLEXPRESS;InitialCatalog=inject;Integrated Security=True"); protectedvoidPage_Load(object sender, EventArgs e) { con.Open(); } protectedvoidSignin_Click(object sender, EventArgs e) { SqlCommandcmd = newSqlCommand(" select * from login1 where username= '" + txtModalUsername.Text + "' and password= '" + txtModalPassword.Text + "'", con); intnrow = Convert.ToInt32(cmd.ExecuteScalar()); if (nrow>= 1) { Response.Redirect("WebForm1.aspx"); } else { Label1.Text = "wrong username and password"; } } } } } It will show you that username and password are directly passed in SQL query for sending them to SQL Server. This type of query is called a non-parameterized query and writing such a non-parameterized query may be vulnerable to SQL injection attacks, as attackers may change the intent of query. Preventing SQL Injection A smart hacker might get access to user names and passwords in a database by simply inserting "or ""=" into the user name or password text box. This input compromise the login credential and redirects the hacker to user page successfully as follows: Parameterized Queries avoids SQL Attacks To prevent SQL injection attacks on your application, it is recommended that you use parameterizes queries in your code. 1. Use of parameterizes queries
  • In parameterized queries, the SQL query is written without embedding parameters in it; each parameter of query is supplied dynamically later.
  • This technique helps in distinguishing between code and data irrespective of user input.
  • Parameterized queries do not allow attackers to change the intent of the query.
  • Implementing Parameterized queries in program as follows: SqlConnection con = newSqlConnection("Data Source=HP\\SQLEXPRESS;InitialCatalog=inject;Integrated Security=True"); protectedvoidPage_Load(object sender, EventArgs e) { con.Open(); } protectedvoidSignin_Click(object sender, EventArgs e) { SqlCommandcmd = newSqlCommand(" select * from login1 where username=@UserName and password=@Password", con); SqlParameterUserName = newSqlParameter("@UserName", SqlDbType.NVarChar); SqlParameter Password = newSqlParameter("@Password", SqlDbType.NVarChar); UserName.Value = txtModalUsername.Text; Password.Value = txtModalPassword.Text; cmd.Parameters.Add(UserName); cmd.Parameters.Add(Password); SqlDataAdapter da = newSqlDataAdapter(cmd); DataSet ds = newDataSet(); try { da.Fill(ds); } catch { ds = null; } if (ds.Tables[0].Rows.Count> 0) { Response.Redirect("WebForm2.aspx"); } else { Label1.Text = "wrong username and password"; } } } } After using parameterizes queries attacker cant able to get an access to user page by giving input as follows: SQL Injection Attack Defensive Techniques Once attacker clicks on the sign in button it shows the error as follows: Prevent SQL Injection Attacks So that we can prevent applications from SQL injection by using parameterized queries.