ASP.NET Security – SQL Injection

Every developer should validate web form input . Web Form input allows hacker to enter to enter malformed SQL statement so that it can fetch the unauthorized data from database , delete the tables , update the column values.

Below is SQL command which is vulnerable and prone to SQL Injection :

string strSQL = “SELECT ProductId, ProductName, “ +” FROM Products” +” WHERE ProductName LIKE ‘” + txtSearch.Text + “‘”;

Hacker can enter below criteria in input text box to fetch all the products :
‘ Or 1=1 —

Hacker can update column value by entering below criteria in text box :

'; UPDATE Products SET UnitPrice = 0.01 WHERE ProductId = 1--

Hacker can delete table values by entering below criteria in text box :

'; DELETE FROM Products --

Hacker can also delete tables if developer is connecting using admin level account user
‘; Drop Table User —

So developers should do the below to avoid SQL Injection :

  1. Developer should validate all textbox entries using validation controls, regular expressions, code.

  2. Developer should use parameterized SQL or stored procedures

  3. Developer should encrypt  passwords and other sensitive data.

  4. Developer should encrypt connection strings

  5. Developer should not use admin access account for connection to database . Developer should use limited access account to connect to the database.

  6. Developer should use custom error messages. Developer should not use display SQL error messages.

Leave a Reply

%d bloggers like this: