Santry Technology Solutions, Content Management, DotNetNuke, SharePoint Consulting
[Help]
Register | Login
Tuesday, December 02, 2008

Sections
  
About Us
  
Partners
Downloads
  
 WWWCoder.com Resource Directory
Home  > Articles/Tutorials > ASP.Net > Security

Preventing SQL Injection Attacks
4/30/2004 4:57:12 PM

Keep your code secure against intruders. In this article we provide examples of SQL injection attacks and how you can write code to prevent them. Stop people from getting information from your database.

In a previous article we provided some examples of how intruders will try to attack your site using Cross-site Scripting (XSS) attacks. In an XSS attack, the attacker tries to use client-side methods of injecting client-side script and then high-jacking a user's session. Now, we're going to provide some examples of a server-side attack where an intruder will try to obtain information from within your database. After the examples, we will go through methods of securing your code against these types of attacks.

SQL injection attacks take advantage of code that does not filter input that is being entered directly into a form. Susceptible applications are applications that take direct user input and then generate dynamic SQL that is executed via back-end code. For example say you have a logon form that accepts a user name and password. Once authenticated against the database, the application then sets a session value, or some other token for allowing the user to access the protected data.

Take a logon form for example, here you have two basic form elements, a textbox for accepting a user name, and a password box for the password.

<form action="myscript.aspx">
<input type="textbox" name="username">
<input type="password" name="password"><br/>
<input type="submit">
</form>

Then in the code behind:

Dim SQL As String = "SELECT Count(*) FROM Users WHERE UserName = '" & _
username.text & "' AND Password = '" & password.text & "'"
Dim thisCommand As SQLCommand = New SQLCommand(SQL, Connection)
Dim thisCount As Integer = thisCommand.ExecuteScalar()

In the previous code block it executes the built SQL script directly, if count is greater than one, then you know the values entered in for the user name and password were the ones matching the database.

Now with that code in the previous example, suppose someone entered the following string into your username text box: 

' or 0=0 --

The apostrophe will close the username value being sent to the SQL query, then pass another argument to the SQL query, after the last argument it then comments out the rest of the query using the "--". Since the second argument they entered into your texbox is an "or" statement, the first check on the user name doesn't matter, and since 0 is always going to equal 0 the script will execute successfully and return a positive logon. Guess what? Your intruder now has access to your application.

 Ok so maybe they can logon into your application, but what else can they do? Let's take another example of SQL injection, as in the previous example of using the apostrophe to terminate the value, and proceed on to another argument, lets do this, but using something that can really ruin your application's data and day:

'; drop table users --

Definitely something that can ruin your day. Of course this type of an attack you'll probably notice pretty quick. Other SQL commands can then be entered to determine your database's structure, and return all user names and passwords from the database. You make it even easier for the attacker if you do not provide some ambiguous error message and provide the error message returned from .NET. This error message can provide critical information they need to determine what to enter in your form in order to obtain information.

SQL Injection Prevention

One method of preventing SQL injection is to avoid the use of dynamically generated SQL in your code. By using parameterized queries and stored procedures, you then make it impossible for SQL injection to occur against your application. For example, the previous SQL query could have been done in the following way in order to avoid the attack demonstrated in the example:

Dim thisCommand As SQLCommand = New SQLCommand("SELECT Count(*) " & _
 "FROM Users WHERE UserName = @username AND Password = @password", Connection)
thisCommand.Parameters.Add ("@username", SqlDbType.VarChar).Value = username
thisCommand.Parameters.Add ("@password", SqlDbType.VarChar).Value = password
Dim thisCount As Integer = thisCommand.ExecuteScalar()

By passing parameters you avoid many types of SQL injection attacks, and even better method of securing your database access is to use stored procedures. Stored procedures can secure your database by restricting objects within the database to specific accounts, and permitting the accounts to just execute stored procedures. Your code then does all database access using this one account that only has access to execute stored procedures. You do not provide this account any other permissions, such as write, which would allow an attacker to enter in SQL statement to executed against your database. Any interaction to your database would have to be done using a stored procedure which you wrote and is in the database itself, which is usually inaccessible to a perimeter network or DMZ.

So if you wanted to do the authentication via a stored procedure, it may look like the following:

Dim thisCommand As SQLCommand = New SqlCommand ("proc_CheckLogon", Connection)
thisCommand.CommandType = CommandType.StoredProcedure
thisCommand.Parameters.Add ("@username", SqlDbType.VarChar).Value = username
thisCommand.Parameters.Add ("@password", SqlDbType.VarChar).Value = password
thisCommand.Parameters.Add ("@return", SqlDbType.Int).Direction = ParameterDirection.ReturnValue
Dim thisCount As Integer = thisCommand.ExecuteScalar()
 

Finally, ensure you provide very little information to the user when an error does occur. If there is database access failure, make sure you don't dump out the entire error message. Always try to provide the least amount of information possible to the users. Besides, do you want them to start helping you to debug your code? If not, why provide them with debugging information?

By following these tips for your database access you're on your way to preventing unwanted eyes from viewing your data.

By: Patrick Santry, Microsoft MVP (ASP/ASP.NET), developer of this site, author of books on Web technologies, and member of the DotNetNuke core development team. If you're interested in the services provided by Patrick, visit his company Website at Santry.com.

Page Options:
format for printing  Format for Printer
email article  Email Page
add to your favorites   Add to Favorites
How would you rate the quality of this content?
Poor - - Excellent
Comments?
Overall Rating:
Comments Left:
Left on 11/26/2008 12:20:50 AM by Anonymous
Comments: we can prevent our websites be using preg_match function
.....by satish
Left on 11/21/2008 7:51:31 AM by Anonymous
Comments: good but should explain more on sql injection prevention
Left on 10/23/2008 4:20:47 PM by Anonymous
Comments: A very clear, concise article that helps to shore up some pretty problematic vulnerabilities.  It's not the only thing that should be done to protect data, but it's one of the quickest and easiest to do; especially for the return on time invested.
Left on 9/29/2008 2:48:54 AM by Anonymous
Comments: GOOD,I liked it but i am beginer so can you please send me in some more detailed way.this is most important b'coz my site is attacked by the sql injection earlier so plz send more detailed way to prevent sql injection..
Left on 9/25/2008 12:12:45 AM by Anonymous
Comments: I read number of articles but I was confused after reading this I get clear picture of sql injection
Left on 9/9/2008 7:23:40 AM by Anonymous
Comments: It was excellent.
Left on 9/5/2008 9:35:42 AM by Anonymous
Comments: ok but not as per mark
Left on 8/2/2008 3:59:29 AM by Anonymous
Comments: Very informative topic
Left on 7/17/2008 1:02:22 AM by Anonymous
Comments: vfkdsl;fka'''

No ratings available.
Left on 7/1/2008 3:07:01 AM by Anonymous
Comments: its very good
Left on 6/12/2008 2:14:56 AM by Anonymous
Comments: sw
Left on 4/16/2008 12:22:54 AM by Anonymous
Comments: No one mentioned a simple technique which allows using In-Line SQL. Create 2 UserIDs for your DB. One has insert, update and delete permissions, the other has only select permissions. Sensitive tables should be parametized or SPs, however, the vast majority of DB qccesses, from my experience is queries. So, on the insensitive tables, use the connection string which can't cause harm. In addition, I've developed an SQLValidation Class which checks input against SQL Injection attack patterns. When detected, the IP is automatically blocked and an email is sent out by the system notifying us. The user is also informed that an SQL injection attack was detected. This feedback, stops an attacker cold.

As for the argument between SP and In-Line. I've switched in In-line. One key reason. We run a production application, plus a Beta app, and an Alpha of the app. SPs are DB centric, not app centric, which means that if I need to alter an SP for the newer version of our app ... I need to create a new SP called _1 or _2 etc. After a few years you're up to _8 and _9, and guess what, you haven't deleted the original, because nothing tells you whether that SP is still being used somewhere. With In-Line, my Queries and DB accesses are part of the app.
Left on 10/11/2007 11:54:33 AM by Anonymous
Comments: Here is a cheat sheet for SQLi under MS Access : http://www.webapptest.org/ms-access-sql-injection-cheat-sheet-EN.html
Left on 7/24/2007 8:42:38 AM by Anonymous
Comments: Filter all input.  Unless you do this, you can't prevent SQL injection, even if you are using stored procedures.
Left on 3/20/2007 1:41:47 PM by Anonymous
Comments: 0==0
No ratings available.
Left on 3/16/2007 6:15:22 PM by Anonymous
Comments: --
No ratings available.
Left on 1/30/2007 3:55:11 PM by Anonymous
Comments:
Left on 9/28/2006 9:33:15 AM by Anonymous
Comments: Thank you.  Very helpful as we try to make our input boxes SQL injection free.
Left on 9/15/2006 2:18:19 PM by Anonymous
Comments: ' or 0=0 --
Left on 6/12/2006 1:54:16 PM by Anonymous
Comments: Good information.  I'm dealing with a client's application now where SQL injection is a major problem.
Left on 1/30/2006 6:13:24 AM by Anonymous
Comments: Here is another article about sql injection
http://http://www.askbee.net/articles/php/SQL_Injection/sql_injection.html injection
Left on 11/2/2005 4:40:46 PM by Anonymous
Comments: Comments from the following blog: Richard Dudley, located at: http://aspadvice.com/blogs/rjdudley/articles/2883.aspx
No ratings available.
Left on 8/10/2005 9:07:49 AM by Anonymous
Comments: That's because you don't understand how parameters work. When you pass a parameter, injection attacks is basically scrubbed clean. The params are handeled as data against the query, basically the "'", and "--", become what you're querying for. Using a string build, it is all part of the SQL statement being executed, thus opening you up for a potential attack, rather than just being considered data for the SQL statement.
Left on 8/10/2005 9:02:17 AM by Anonymous
Comments: "By passing parameters you avoid many types of SQL injection attacks"

How? I fail to see what using the parameter Collection has to do with scrubbing the user-entered data to avoid unwanted chars (like '--' or control chars)
Left on 8/4/2005 11:11:29 AM by Anonymous
Comments: Most informative
No ratings available.
Left on 6/30/2005 7:33:30 PM by Anonymous
Comments: Comments from the following blog: Pencil Bros. Geology, Inc., located at: http://www.rjdudley.com/blog/CrossSiteScriptingXSSAttacksSQLInjectionAndASPNET.aspx
No ratings available.
Left on 6/23/2005 7:10:45 PM by Anonymous
Comments: Thank you for your help.
Left on 6/8/2005 1:49:30 PM by Anonymous
Comments: Comments from the following blog: -:[web caboodle]:-, located at: http://blog.dannyboyd.com/archive/2005/06/08/2044.aspx
No ratings available.
Left on 5/24/2005 1:01:21 PM by Anonymous
Comments: I have Created a Function  . . SqlValidate(ByVal sql)  . .it looks through the string and lets you have things like  ='  . .and ', but filters and replaces all other single quotes with 2 sigle quotes  . . works well :-)
Left on 4/22/2005 3:29:48 PM by Anonymous
Comments: Thats very good
Left on 4/12/2005 3:04:50 PM by Anonymous
Comments: Can't always use SPs.  Should give examples of data validation when creating dynamic SQL in code.
Left on 3/24/2005 11:57:45 PM by Anonymous
Comments: Good,But can provide a little more information... Thanks
Left on 3/15/2005 8:13:01 AM by Anonymous
Comments: Hi there,

imho this is a nice article facing the problem of sql-injection althought I think this is not really the right way to avoid it.
If you are designing a firewall, you  wouldn't say: "Forbid port 1, Forbit prot 2, ...". You would say: "Forbid everything but port 22" and that's the point.

If you receive data by a user, it's alway in some string type, so befor using it for ANY purpose, you must validate it anyway or your application may produce errors even if you e.g. extrcted all sql-injection.
So if you expect a number in a formfield which should be used as an integer afterwards, you have to check...
1) Is it really a integer number, which means, does it only contain '-' and '0-9'?
2) Is this number, seeming to be a valid integer really between the systems MAX_INT and MIN_INT or is it out of range?
3) If you only want to allow e.g. zip-codes, then you will also have to test if the entered number is (depends on the country) between 100 and 99999

Only if the users data passed all these tests, it is valid for processing!

It SHOULD never be allowed inside any application to use not well validated user-input.

I myself use a self-written datacheck class which does the required checks and e.g. a integer is valid also directly provides the casted int value.

Simple example:
datacheck *objDatacheck = new datacheck();
is_valid = objDatacheck->check_int_between(user_input_val, 100, 99999, int);
if (is_valid) {
  do_something(objDatacheck->get_converted());
}
else {
    handle_error(objDatacheck->get_original());
}
...

If you like to provide some seach functions where the user should be able to also enter ", ' and ; or whatever, you should provide a special check method. Perhapst you should also force the user to use eg. '::' instead of '"' and then convert '::' in your process into ".

This method is even much more secure because you don't have to take care for the different database servers sql-evaluation.

Yours Henri
No ratings available.
Left on 3/14/2005 3:26:33 AM by Anonymous
Comments: After using parameters what if I have '' or 0=0 -- passed to the parameters. It will have the same effect as using ' or 0=0 -- without parameters, isn't it? Correct me if I am wrong.
No ratings available.
Left on 3/2/2005 8:18:19 PM by Anonymous
Comments: ';
No ratings available.
Left on 1/3/2005 2:36:53 PM by Anonymous
Comments: thx
Left on 12/16/2004 11:07:52 PM by Anonymous
Comments: Nice !!! Thank u !
Left on 11/25/2004 3:25:39 PM by Anonymous
Comments: Concise and clear explanation. Many Thanks.
Left on 11/23/2004 11:40:24 PM by Anonymous
Comments: 'insert into comments "nice" --
Left on 11/16/2004 5:08:24 PM by Anonymous
Comments: Very interesting...
Left on 11/8/2004 10:01:36 AM by Anonymous
Comments: krud
Left on 10/20/2004 10:40:37 AM by Anonymous
Comments: thanks for the article. very useful to me.

my question is:
should i always escape special caracters such as single quotes even if i use parameterised querys or stored procedures?
Left on 9/28/2004 2:52:23 AM by Anonymous
Comments: i still can't solve the probleem
Left on 8/16/2004 9:25:50 AM by Anonymous
Comments: great solution
Left on 8/6/2004 6:31:11 PM by Anonymous
Comments: Wow you showed a total of one whole solution and it wasn't even feasible in most locations, this is a good example of a quick, cheap, and dirty article.
Left on 7/30/2004 8:37:24 PM by Anonymous
Comments: One of the main problems with escaping the apostrophe in the user input in that it relies in negative validation, rather than positive validation. In other words, it filters out bad input rather than  One way (several ways) to get around this is to use unicode characters to bypass certain checks. Furthermore, other sql statements could be executed without the use of apostrophe (example: ;--, causing the query to fail and possibly display an error message that can provide database info) and it is difficult to say how a user can manipulate inline sql statements.
Left on 7/28/2004 4:16:36 AM by Anonymous
Comments: I think this artical is spot on, It gives a  good example of a security flaw and how to plug it. just a shame there is some 'programmers' who beating you around the head.
Yes we should all use Stored procs, but in SQL2k, if you send a query it is cached and the execution plan is kept (just like a stored proc) so speed wise there aint much aff a diffrence, and you are reducing the size of your DB.
Left on 7/26/2004 6:27:53 PM by Anonymous
Comments: z/OS DB2 DBA here, this is very interesting material.  Thank you.
Left on 7/15/2004 6:09:22 AM by Anonymous
Comments: Lobby MS to eliminate SQL injection
http://dotnetjunkies.com/WebLog/stefandemetz/archive/2004/07/10/18763.aspx
Left on 7/8/2004 12:58:25 PM by Anonymous
Comments: I got an idea to Encrypt query.
you can look at the result at :
http://www.antoniob.com/projects/PUriQueryCrypt.aspx

It's easy to use, free and you get source (beware !!  Delphi.NET)
No ratings available.
Left on 7/1/2004 10:21:35 AM by Anonymous
Comments: I think that using stored procs is the best way to go anytime. the Problem is that they are very time consuming to program. Here is a link to several stored procs that will automatically generate Insert, Update, Select and Delete stored procs for tables in your Database.
http://msdn.microsoft.com/msdnmag/issues/03/04/StoredProcedures/default.aspx

Left on 6/25/2004 2:02:55 AM by Anonymous
Comments: This is really helpful for the Internet Developers.  I appreciate the Provider of the Article.  with regards, Jayakumar K P
Left on 6/24/2004 11:33:50 AM by Anonymous
Comments: I work for a web dev company, and we always use stored procedures. this is the best way.
Left on 6/24/2004 9:57:47 AM by Anonymous
Comments: Ugly? How does this: "SELECT Count(*) FROM Users WHERE UserName ='" & Replace(sUserName, "'", "''") & "' AND Password = '" & Replace(sPassword, "'", "''") & "'" Look better than this: "SELECT Count(*) FROM Users WHERE UserName = @username AND Password = @password" The more I read the comments here the more I believe coders are either lazy or don't think before putting comments here.

No ratings available.
Left on 6/24/2004 9:44:44 AM by Anonymous
Comments: The problems I see here are...

Problem 1) No one wants to have to create a stored procedure for each query of the database.

Problem 2) No one wants to have to use a procedured query that looks ugly and is a pain in the neck to read to write a simple query.

So I think escaping the query is the easiest and best way to go on most occasions. For really sensitive tables you should use a stored procedure/parameters if it makes you fee better... But 90% of the web data is not highly sensitive stuff anyway...
Left on 6/21/2004 1:51:48 PM by Anonymous
Comments: Try having an open mind about things, that your method isn't always the best.  This statement of yours quite boggles me, "but of course you then have to ensure that every time that data is re-read back out of the table, that is then unescaped."  You might want to try it out first before you present your image as you are doing now.


No ratings available.
Left on 6/17/2004 8:48:17 PM by Anonymous
Comments: This article includes an example of using parameters to solve the injection problem. The parameters are part of the SQL command string. How many examples are needed? Play around with it, and you'll see there is no need to ever not use them. As to the other reader who queries why would you use parameterised queries. The simple answer is that you don't have to escape anything, or ever concern yourself with the data you are trying to store! The actual data being stored and the SQL command text are kept seperate and don't interfere with each other. Also, what if I wanted to store into a text field a single quote character non escaped? SQL server certainly doesn't have a problem, and why should it. It's simply because using non-parameterised SQL means you have to escape those characters out otherwise the SQL command becomes invalid. For some programmers this may be acceptable, but of course you then have to ensure that every time that data is re-read back out of the table, that is then unescaped. I've never found character escaping an easy robust solution to any problem, although in some cases it is forced on you such as in HTML, but not with SQL. Also, how is escaping faster to code and easier to read? Easier to read is just a rediculous claim - how does adding the extra unneccesary code into the SQL string make it easier to read. Parameters make the SQL cleaner (no clutter, and clean separation). Faster - I don't thinks so! I can code my SQL with parameters without having to think about whether I should be escaping, or doing any kind of type conversion (including dates, numerics etc), and it is more robust because these offending characters don't accidently slip through the cracks.
No ratings available.
Left on 6/17/2004 3:27:06 PM by Anonymous
Comments: I'm just not getting some of these responses.  "if you code SQL inline ALWAYS use parameters - end of story".  WHY?  What advantage does this have over escaping the single quote?  Please don't say anything about not validating numeric fields, as that is a very poor answer.
The advantage of escaping a single quote is it's faster to code and cleaner to read.

No ratings available.
Left on 6/17/2004 1:42:43 PM by Anonymous
Comments: Don't you love when people miss the whole point of the article. Let's get into a salted hash, lol, one thing at a time.
No ratings available.
Left on 6/17/2004 1:39:23 PM by Anonymous
Comments: The Example is not very good: Without a very good reason you should never save cleartext-passwords in your database - instead use a computed and salted hash for the password. Ok, it's only an example, but examples should be well chosen and be an role-model - in all matters.
Left on 6/17/2004 7:18:57 AM by Anonymous
Comments: don't understand how you can parameterise inline SQL, is it possible to show an example?
Left on 6/16/2004 7:46:54 PM by Anonymous
Comments: I think the reason this article generated so many comments is that it highlights developer ignorance. The answer is simple to solve, and even though the solution has been clearly detailed, some readers continue to debate how to strip out dangerous characters before adding to the SQL statement. Why perist in doing things the wrong way? Leaving the whole stored proc issue along, if you code SQL inline ALWAYS use parameters - end of story, problem solved (and many other problems). In reply to a previous post, generating a parameterised SQL statement dynamically at run time is the same as generating a non-parameterised query. Substitute the string concatinations with parameters, then dynamically supply the values. Having to define the SQL string at compile time is not a requirement of using parameterised queries.
Left on 6/16/2004 7:43:08 PM by Anonymous
Comments: Very Good Article, I think that even though a webmaster must know about this, it's good the have this type of articles just in case someone have forgotten about it or just didn't know about it. CONGRATS Patrick
Left on 6/16/2004 6:48:38 PM by Anonymous
Comments: Agreed.  There are many times when a stored proc is not practical.  As a current independent consultant, I've been through many situations in which implementing stored procs was a bad idea, or simply the client wanted a different implementation for various reasons.

No ratings available.
Left on 6/16/2004 6:46:33 PM by Anonymous
Comments: Hey at least it has people thinking. I don't think I have an article on my site that has received this many comments. Thanks. Patrick Santry
No ratings available.
Left on 6/16/2004 6:46:06 PM by Anonymous
Comments: The password scenario may look like the most obvious place for an attack however (it is the case if they want to gain access to your system) however any form that gathers data may be an opportunity for a hacker. The example below with the ; to start an new SQL statement is a prime example. It basically allows hackers to execute whatever SQL they like. So even a search box could in fact be used to drop your entire database. Escaping single quotes and double quotes if your RDMS uses them is a must for every single form field that is not validated to be a numeric value. Another good hint is to prevent any database errors being displayed to the user. The less they know about the internal workings the better. Personally I prefer SP's as it allows you to manage security more efficently
No ratings available.
Left on 6/16/2004 4:10:15 PM by Anonymous
Comments: Great article, "Guess what, in the real world you can't always use stored procs. Many times people DO NOT WANT THEIR SYSTEMS USING SPROCS. Why, because maybe they will move down to MS-SQL at some point, or up from a free db. The world is not black and white, and if you are an indepent consultant, you know that. But the Author did obviously know this, because he covered, using parameterized queries all well. This "I can't see why a MVP would be using in-line sql" sounds like he just studied a MCSD guide and has like 3 weeks of experience
Left on 6/16/2004 12:25:15 PM by Anonymous
Comments: You can force clean text with a regular expression like "[^0-9a-zA-Z]".  But that also prohibits searches of "O'Reily".

I would like to know how to implement the previous poster's comment: "Even dynamically generated SQL should be generated with parameters."  What if you don't know the exact mix of parameters until runtime?

And, I'll echo, "So a carefully designed dynamic SQL application can work without these sorts of problems."
Left on 6/16/2004 11:11:37 AM by Anonymous
Comments: "If only it were that simple as adding a catch for single quotes."  If you're not checking your numeric fields for numeric values, there's something else that's wrong with your program.


No ratings available.
Left on 6/16/2004 10:11:55 AM by Anonymous
Comments: You can do this without stored procs:
1. For string inputs, escape the ' out.
2. For non-string inputs, run an explicit type conversion (CLng()). If non-numeric data is in there, and error will be thrown during the conversion.
Left on 6/16/2004 3:47:42 AM by Anonymous
Comments: Seems obvious and good coding practice to use stored procs - at least laziness won't get the better of me now. :)
Left on 6/15/2004 8:27:18 PM by Anonymous
Comments: Just as an FYI, this was published back in April.
No ratings available.
Left on 6/15/2004 8:01:24 PM by Anonymous
Comments: I wanted to give 4 as rating, only becuase it is quite old issue and I thought it is quite obvious, but ... I read comments and I have realized that quite many people calling themselves 'programmers' do not really know what they are doing :). Good work Patrick - shame that some of your readers still have no clue what you are talking about ;)
Left on 6/15/2004 2:51:00 PM by Anonymous
Comments: If only it were that simple as adding a catch for single quotes. Take, for instance, an SQL query which has the where clause containing only numeric values. Something like:

select value1, value2, num_value3 from database
where num_value3=some_user_supplied_number

In this case, the attacker may execute an additional SQL query, by supplying an input like:

3; insert values into some_other_table

No ratings available.
Left on 6/15/2004 2:23:13 PM by Anonymous
Comments: Man, that's an awful lot of work.  Seems like most of you guys don't already know about this.  Try:

Dim SQL As String = "SELECT Count(*) FROM Users WHERE UserName = '" & _
username.text.Replace("'", "''") & "' AND Password = '" & password.text.Replace("'", "''") & "'"

That will solve your SQL injection attack problem.  What is does is to replace a single quote with 2 single quotes, which effectively escapes it.
Left on 6/15/2004 11:32:11 AM by Anonymous
Comments: The point of the article isn't about password verification, that was provided as an example of an attack.
No ratings available.
Left on 6/15/2004 11:23:16 AM by Anonymous
Comments: Why not just compare, instead of create a SQL statement.
Exp.
rs("username")=tmpUsrName
rs("password")=tmpPassword
If tmpUsername=request("Username") and tmpPassword=request("Password") then
.....
End if
The other way look far to much complicated. Best Christian ccr@ccr.dk
No ratings available.
Left on 6/14/2004 8:50:48 PM by Anonymous
Comments: I found the comments more interesting and worthy of a laugh. The point of the article is to avoid constructing SQL dynamically based on user input. It's just amusing to watch zealots push their ideological bandwagons at any oportunity. What's this crap over always use Stored Procedures? It's relevance to this article is non-existant since the same problems potentially exist. (By the way there are many many many reasons to void Stored Procedures in this day and age, but you'll probably have to view non-MS related sites to find out why.) If you stick to the rule of always parameterising queries whether inline or via stored procs you avoid the problem. You also avoid other problems of having to pre-format data for so it can be safely embedded in an SQL statement, like stripping quotation marks, or formatting dates the right way. Even dynamically generated SQL should be generated with parameters.
Left on 6/14/2004 3:16:03 PM by Anonymous
Comments: Good article. It would be good that we need to consider security at database level for password field too.
Left on 6/14/2004 12:15:09 PM by Anonymous
Comments: Good base article to remind people about security. Two things to connsider. First if your are using stored procedures, make sure your SQL connection isn't using an administrator level user to log in. Some injections may work with stored procedures if the DB user has high enough privilages. Also some apps do need dynamic SQL. If so I'd recommend adding a class to your Data Layer that checks for some of the common injection types and strips them out. I wrote a class like this for one of my apps and it worked well.
Left on 6/14/2004 11:49:48 AM by Anonymous
Comments: The bottom line is, you should NEVER allow a user to complete and Inline SQL query with his or her own input.  Use stored procs, or at the least, paramaterized queries.

Trusting user input to finish your code is a recipe for diasaster.
No ratings available.
Left on 6/14/2004 10:53:42 AM by Anonymous
Comments: odkryl ameryke, kurcze, przeciez tak chyba kazdy POWAZNY programista robi..
Left on 6/14/2004 9:03:54 AM by Anonymous
Comments: Nice article, thanks for the advice.
Left on 6/14/2004 7:47:29 AM by Anonymous
Comments: No if it must be an integer, then the application should check that the input is an integer otherwise the app will crash when someone makes a mistake.  So a carefully designed dynamic SQL application can work without these sorts of problems.  Nonetheless, it is good article.
Left on 6/14/2004 6:56:43 AM by Anonymous
Comments: It more than the apostrophe issue. Say you have a form that accepts integer, but you don't verify the data to make sure it's an iteger value. Someone then enters or 0=0 --, no apostrophe needed here. Some of this depends on how much an attacker knows about your application as well. The main point here is you should never use dynamic SQL when you are accepting input from users to your application.
No ratings available.
Left on 6/14/2004 2:58:54 AM by Anonymous
Comments: Patrick, you made a very good effort in showing a trick to the developers to save their code being injected for database tempering purpose.  I don't know but i doubt that we can also be safe if we alter ' (quote) to double quotes ('') and then fire a query on db.   

Keep it up.  -- DotNETKans
Left on 6/14/2004 2:03:53 AM by Anonymous
Comments: The key to an SQL injection attack is the apostrophe.  If I were writing this application, I would escape any apostrophe entered by the user.  Not only would this prevent an SQL injection attack from happening but it would also prevent the application from crashing should the user's name be O'Reilly.
Left on 6/14/2004 1:12:05 AM by Anonymous
Comments: it was really good
Left on 6/4/2004 6:50:21 AM by Anonymous
Comments: Did you miss the entire point of the article? IT IS to tell people to use sprocs or parameterized queries. "I can't see why a MVP would be using in-line sql" WHERE DID YOU GET THAT? Where in the article do I say "Hey folks look at me I use in-line SQL." Either you didn't read the article or you're having a problem with bablefish.
No ratings available.
Left on 6/4/2004 5:31:27 AM by Anonymous
Comments: While the article is correct, it still is insufficient.

A) The examples only work with Sql Server. You can use the same examples for Ms Access by replacing the '--' with %00 which is the character that ends a string for access.

B) If you just use stored procedures LIKE YOU OUGHT TO then you never have this problem. USE STORED PROCEDURES - USE STORED PROCEDURES ! I can't see why a MVP would be using in-line sql. There is no way to justify that.

c) Also, using commandtext just to execute in-line sql is not good. You're creating way too much overhead on your application.

d) Just use stored procedures.
  

 Latest Articles
  

 Latest News
  

 
Spotlight
Syndication