SQL injection and preventing

SQL injection is a code injection technique, used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker).

We can avoid SQL injection attacks in two ways.

  1. Using parameterized queries.
  2. Using stored procedures.

Let’s examine one by one. The tblProductInventory table which we have used in theprevious article is following:

tblProductInventory

As we know, the following lines of code were causing SQL injection attack.

string CS = ConfigurationManager.ConnectionStrings[“DBCS”].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{
string Command=“Select * from tblProductInventory where ProductName like ‘”+TextBox1.Text     + “%’”;
    SqlCommand cmd = new SqlCommand(Command, con);
    con.Open();
    GridView1.DataSource = cmd.ExecuteReader();
    GridView1.DataBind();
}

Using parameterized queries

The above code can easily be rewritten using parameterized queries to prevent SQL injection attack.

string CS = ConfigurationManager.ConnectionStrings[“DBCS”].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{
   // Parameterized query. @ProductName is the parameter
  string Command = “Select * from tblProductInventory where ProductName like      @ProductName”;

   SqlCommand cmd = new SqlCommand(Command, con);
    // Provide the value for the parameter
    cmd.Parameters.AddWithValue(“@ProductName”, TextBox1.Text + “%”);
    con.Open();
    GridView1.DataSource = cmd.ExecuteReader();
    GridView1.DataBind();
}

Notice that the query now uses parameter @ProductName. The value for this parameter is then provided using AddWithValue() method. The parameter is associated with the command object using Prameters collection property of the command object.

Now if we type the following input into the TextBox, the entire content of the TextBox is treated as a value for the parameter @ProductName, not as a seperate SQL statement. Thereby it removes SQL injection attack.

i’; Delete from tblProductInventory –

Using stored procedures

Sql injection can also be prevented using stored procedures. So first let’s write a stored procedure that returns the list of products. This stored procedure takes an input parameter @ProductName.

CREATE PROCEDURE spGetProductsByName
@ProductName nvarchar(50)
AS
BEGIN
SELECT * FROM tblProductInventory 
WHERE ProductName LIKE @ProductName + ‘%’
END

To test this procedure execute the following command in SQL Server Management Studio(SSMS).

EXECUTE spGetProductsByName ‘ip’

As a result of the above query, all the procucts whose name starts with ‘ip’ will be returned.

Now let’s rewrite the code to use stored procedure spGetProductsByName.

string CS = ConfigurationManager.ConnectionStrings[“DBCS”].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{
    // The command that we want to execute is a stored procedure,
    // so specify the name of the procedure as cmdText
    SqlCommand cmd = new SqlCommand(“spGetProductsByName”, con);
    // Specify that the T-SQL command is a stored procedure
    cmd.CommandType = System.Data.CommandType.StoredProcedure;
    // Associate the parameter and it’s value with the command object
    cmd.Parameters.AddWithValue(“@ProductName”, TextBox1.Text );
    con.Open();
    GridView1.DataSource = cmd.ExecuteReader();
    GridView1.DataBind();
}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s