locked
security RRS feed

  • Question

  • hi

    i have a question

    when you use below like code :

     string sql = "select * from tbl_Users where UserName='" + username + "' and Password='" + password + "'";

    i can use sql injection and enter it

    i want know when i use parameter in sqlCommand ,do be enter to it again

     string sql = "select * from tbl_Users where UserName=@username and Password=@password";
    
    com = new SqlCommand();
                com.Connection = con;
                com.CommandText = sql;
                com.Parameters.Add("@username", username);
                com.Parameters.Add("@password", username);

    please help me

    thanks


    Thursday, September 13, 2012 5:47 PM

Answers

  • I will suggest to use store procedure using dynamic sql to execute your query. You can pass the input to store procedure.

    Please click the Mark as Answer or Vote As Helpful if a post solves your problem or is helpful!

    • Marked as answer by Iric Wen Thursday, September 20, 2012 1:25 AM
    Thursday, September 13, 2012 7:33 PM
  • Hi vahidbakhtiary,

    I want to inform that your second code block is not vulnerable to SQL Injection, you can try to input some injection codes and check the result, for example, you can set your password like following:

    password += password + " or '1'='1'";

    With your first code block, all the data in tbl_Users table returns, but with your second code block, nothing will return. For more detail information, you can refer to the following link:

    http://msdn.microsoft.com/en-us/library/ff648339.aspx


    Best Regards,
    Allen
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Iric Wen Thursday, September 20, 2012 1:24 AM
    Tuesday, September 18, 2012 2:38 AM

All replies

  • You must build parameterized queries to avoid Injection.

    See: http://srcware.com/programacao/como-evitar-sql-injection-em-net/

    See: http://social.msdn.microsoft.com/Forums/pt-BR/aspnetpt/thread/de859f6f-a1e3-4761-b2f5-abdaa20c921a


    Roberson Ferreira - Database Developer
    Acesse: www.robersonferreira.com.br
    Email: contato@robersonferreira.com.br

    Se esta sugestão for útil, por favor, classifique-a como útil.
    Se ela lhe ajudar a resolver o problema, por favor, marque-a como Resposta.

    Thursday, September 13, 2012 6:33 PM
  • And see too: http://www.codeproject.com/Articles/9378/SQL-Injection-Attacks-and-Some-Tips-on-How-to-Prev

    Roberson Ferreira - Database Developer
    Acesse: www.robersonferreira.com.br
    Email: contato@robersonferreira.com.br

    Se esta sugestão for útil, por favor, classifique-a como útil.
    Se ela lhe ajudar a resolver o problema, por favor, marque-a como Resposta.

    Thursday, September 13, 2012 6:35 PM
  • I will suggest to use store procedure using dynamic sql to execute your query. You can pass the input to store procedure.

    Please click the Mark as Answer or Vote As Helpful if a post solves your problem or is helpful!

    • Marked as answer by Iric Wen Thursday, September 20, 2012 1:25 AM
    Thursday, September 13, 2012 7:33 PM
  • hi

    i have a question

    when you use below like code :

     string sql = "select * from tbl_Users where UserName='" + username + "' and Password='" + password + "'";

    i can use sql injection and enter it

    i want know when i use parameter in sqlCommand ,do be enter to it again

     string sql = "select * from tbl_Users where UserName=@username and Password=@password";
    
    com = new SqlCommand();
                com.Connection = con;
                com.CommandText = sql;
                com.Parameters.Add("@username", username);
                com.Parameters.Add("@password", username);

    please help me

    thanks


    Hi,

    I suggest you to use C#.NET custom regular experession to validate all parameters. I also suggest you to write extended stored procedure to authenticate the parameters. 


    Regards,

    Basit A. Farooq (MSC Computing, MCITP SQL Server 2005 & 2008, MCDBA SQL Server 2000)

    http://basitaalishan.com

    Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Proposed as answer by Basit Farooq Friday, September 14, 2012 12:11 PM
    • Marked as answer by Iric Wen Thursday, September 20, 2012 1:24 AM
    • Unmarked as answer by Iric Wen Thursday, September 20, 2012 1:25 AM
    Friday, September 14, 2012 12:11 PM
  • thanks from all

    i know that use sp is safe

    but i ask,can do in my code sql injection

    and can sql injection with use parameter

    thanks


    Saturday, September 15, 2012 6:21 PM
  • Hi vahidbakhtiary,

    I want to inform that your second code block is not vulnerable to SQL Injection, you can try to input some injection codes and check the result, for example, you can set your password like following:

    password += password + " or '1'='1'";

    With your first code block, all the data in tbl_Users table returns, but with your second code block, nothing will return. For more detail information, you can refer to the following link:

    http://msdn.microsoft.com/en-us/library/ff648339.aspx


    Best Regards,
    Allen
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    • Marked as answer by Iric Wen Thursday, September 20, 2012 1:24 AM
    Tuesday, September 18, 2012 2:38 AM
  • and can sql injection with use parameter

    Executing a parameterized query or stored procedure (assuming the stored procedure executes only static/parameterized SQL) is not vulnerable to SQL injection.


    Dan Guzman, SQL Server MVP, http://weblogs.sqlteam.com/dang/

    Tuesday, September 18, 2012 3:19 AM