How to avoid script database hacking?

  • Thread starter Thread starter RA
  • Start date Start date
R

RA

If I get the user info from an aso.net, and based on that execute some query
against the database, how can I avoid issues like this one:

Client entered in user name text box the following: "new;delect from users"

On server side I have:

sql = "select * from users where username = " + txtUser.Text;


Thanks,
Ronen
 
You should always check for dodgy characters in the string and use stored
procedures with parameters.
 
How would a store procedure help if the parameter passed to it is the input
from the text box?
 
You can also Use Stored Procs




Wes Jackson said:
You should always check for dodgy characters in the string and use stored
procedures with parameters.
Click to expand...
 
SqlCommand cmd=new SqlCommand("select * from employees where
employeeid=@id",conn);
cmd.Parameters.Add("@id",TextBox1.Text);
cmd.Execute...
 
RA said:
How would a store procedure help if the parameter passed to it is the input
from the text box?
Click to expand...

In the stored procedure you don't build a sqlstring to execute, but supply a
parameter
as "placeholder" of the value:
select * from mytable where name = @nameparam

If you supply a value 'new;delete from users' then the table is searched
for that exact value. The "delete" part is never treated as a command.

Hans Kesting
 
They are also faster when executing against SQL as the code is already
compiled.

Double bonus!
 
A Google search such as "sql code injection" will retrieve a number of
detailed papers.

In short you could :
- validate your parameters
- use parameterized queries
- use stored procedures
- others ?

Patrice
 
Hi,

One thing that using an SP doesn't necessarily guard against is:

What happens if an SP parameter is Text and you pass in a comma separated
list of numbers,
which you then use in the SP like:

[some sql here - to do a temp table]

EXEC('SELECT FieldX, FieldY INTO #Temp FROM TableX WHERE TableID IN(' +
@Param + ')')

[some more sql here]

Admittedly the person doing the hack would have to know what the SP was
doing in order to
ensure proper SQL syntax, but, for example, a disgruntled employee might
know this and wreck
havoc.

For a comma separated list of numbers I got around this by using a regular
expression to ensure
that the value I would use only contained numbers, a comma or a space
anything else would be
discarded.

Regards,
Peter
 
hi! goodmorning can you send me on how to avoid computer hacking?
 
ASP.NET has special features to automaticly catch things like people
embedding ;DELETE FROM; and other trick SQL commands that would normally be
"hacked" on web sites
 
hi! goodmorning can you send me on how to avoid computer hacking?
Click to expand...

Make sure your computer is secure... :-)

Seriously, can you be a bit more specific...?
 
Turn it off.

--
;-),
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

How to avoid website hijacking? 3
How to avoid lifecycle hacks? 11
adding Membership tables to database, how? 1
How to create dynamic events handlers for Imagebuttons 2
3 questions about scripting the database of a asp.net 1
LDAP AD type query 1
Hiding rows in an ASP.NET table 2
how to create users with CreateUserWizard by only enterng username? 2

Back
Top