security

Question

hi

i have a question

when you use below like code :

 string sql = "select * from tbl_Users where UserName='" + username + "' and Password='" + password + "'";

i can use sql injection and enter it

i want know when i use parameter in sqlCommand ,do be enter to it again

 string sql = "select * from tbl_Users where UserName=@username and Password=@password";

com = new SqlCommand();
            com.Connection = con;
            com.CommandText = sql;
            com.Parameters.Add("@username", username);
            com.Parameters.Add("@password", username);

please help me

thanks

Answer 1

You must build parameterized queries to avoid Injection.

See: http://srcware.com/programacao/como-evitar-sql-injection-em-net/

See: http://social.msdn.microsoft.com/Forums/pt-BR/aspnetpt/thread/de859f6f-a1e3-4761-b2f5-abdaa20c921a

---

Roberson Ferreira - Database Developer
Acesse: www.robersonferreira.com.br
Email: contato@robersonferreira.com.br

Se esta sugestão for útil, por favor, classifique-a como útil.
Se ela lhe ajudar a resolver o problema, por favor, marque-a como Resposta.

Answer 2

And see too: http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev

---

Roberson Ferreira - Database Developer
Acesse: www.robersonferreira.com.br
Email: contato@robersonferreira.com.br

Se esta sugestão for útil, por favor, classifique-a como útil.
Se ela lhe ajudar a resolver o problema, por favor, marque-a como Resposta.

Answer 3

I will suggest to use store procedure using dynamic sql to execute your query. You can pass the input to store procedure.

---

Please click the Mark as Answer or Vote As Helpful if a post solves your problem or is helpful!

Answer 4

hi

i have a question

when you use below like code :

 string sql = "select * from tbl_Users where UserName='" + username + "' and Password='" + password + "'";

i can use sql injection and enter it

i want know when i use parameter in sqlCommand ,do be enter to it again

 string sql = "select * from tbl_Users where UserName=@username and Password=@password";

com = new SqlCommand();
            com.Connection = con;
            com.CommandText = sql;
            com.Parameters.Add("@username", username);
            com.Parameters.Add("@password", username);

please help me

thanks

Hi,

I suggest you to use C#.NET custom regular experession to validate all parameters. I also suggest you to write extended stored procedure to authenticate the parameters. 

---

Regards,

Basit A. Farooq (MSC Computing, MCITP SQL Server 2005 & 2008, MCDBA SQL Server 2000)

http://basitaalishan.com

Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Answer 5

thanks from all

i know that use sp is safe

but i ask,can do in my code sql injection

and can sql injection with use parameter

thanks

Answer 6

Hi vahidbakhtiary,

I want to inform that your second code block is not vulnerable to SQL Injection, you can try to input some injection codes and check the result, for example, you can set your password like following:

password += password + " or '1'='1'";

With your first code block, all the data in tbl_Users table returns, but with your second code block, nothing will return. For more detail information, you can refer to the following link:

http://msdn.microsoft.com/en-us/library/ff648339.aspx

---

Best Regards,
Allen
Please remember to mark the replies as answers if they help and unmark them if they provide no help.

Answer 7

and can sql injection with use parameter

Executing a parameterized query or stored procedure (assuming the stored procedure executes only static/parameterized SQL) is not vulnerable to SQL injection.

---

Dan Guzman, SQL Server MVP, http://weblogs.sqlteam.com/dang/