ASP.NET Security – SQL Injection
Every developer should validate web form input . Web Form input allows hacker to enter to enter malformed SQL statement so that it can fetch the unauthorized data from database , delete the tables , update the column values.
Below is SQL command which is vulnerable and prone to SQL Injection :
string strSQL = “SELECT ProductId, ProductName, “ +” FROM Products” +” WHERE ProductName LIKE ‘” + txtSearch.Text + “‘”;
Hacker can enter below criteria in input text box to fetch all the products :
‘ Or 1=1 —
Hacker can update column value by entering below criteria in text box :
'; UPDATE Products SET UnitPrice = 0.01 WHERE ProductId = 1--
Hacker can delete table values by entering below criteria in text box :
'; DELETE FROM Products --
Hacker can also delete tables if developer is connecting using admin level account user
‘; Drop Table User —
So developers should do the below to avoid SQL Injection :
-
Developer should validate all textbox entries using validation controls, regular expressions, code.
-
Developer should use parameterized SQL or stored procedures
-
Developer should encrypt passwords and other sensitive data.
-
Developer should encrypt connection strings
-
Developer should not use admin access account for connection to database . Developer should use limited access account to connect to the database.
-
Developer should use custom error messages. Developer should not use display SQL error messages.