Co-Sponsored by:   Latest Features  • Generate Dynamic Buttons  • WCF and REST  • LINQed & Layered  • Visual Studio 2008 Options  • ASP.NET 2.0 Reporting Article Rating Rate this article on a scale from 0 to 5 5 Best 4   3   2   1   0 Worst Email Tell a friend about this article!

asp:Feature

LANGUAGES: C#

ASP.NET VERSIONS: 2.0

Prevent SQL Injection Attacks

Is Your Data Safe from Intruders?

By Joydip Kanjilal

Although the awareness is increasing day by day, a SQL injection attack still poses a serious security vulnerability. This is a serious concern for application developers as it tends to break into, alter, or damage critical data. This is a technique that takes advantage of non-validated user input data to inject SQL statements dynamically into the existing ones for execution, and, hence, poses a severe security threat to the supposedly secure systems. The best way to prevent SQL injection is to use parameterized queries and stored procedures rather than building and executing SQL statements dynamically. This article discusses what SQL injection is all about, as well as the suggested solutions or best practices for how we can combat these attacks and secure our important data.

What Is SQL Injection?

SQL injection is security vulnerability, a serious security threat that enables an attacker to execute unauthorized SQL commands by embedding them in the SQL statements by taking advantage of non-validated input in Web applications that attempt to build SQL queries dynamically.

When Does It Occur?

This typically happens in situations where your application accepts user input and builds SQL statements dynamically without a proper input validation mechanism. How? Let’s assume there is a login form where the user needs to fill in the user name and the password and then click the Submit button to log in to an application. Suppose the user fills out the form as shown below:

Login: ‘ OR ‘‘=‘

Password: ‘ OR ‘‘=‘

The resultant query is:

SELECT userName FROM Users WHERE userName = '' OR ''='' AND Password = '' OR ''=''

This, of course, will always return true.

A smart intruder can inject SQL statements into a SQL query that is built dynamically in your application and can turn the query into the form, as shown below:

SELECT * FROM products WHERE productID = 1 or 1=1

This would always return true, irrespective of the value of the product id. Hence, your data is under threat!

How Do I Prevent It?

The following points highlight the effective measures that can be adopted to prevent SQL injection attacks:

• Prevent unauthorized access to the database and limit the permissions that are granted to the database user account that the application uses.
• Validate user input properly before using it, stripping off the potentially malicious characters.
• Always use parameterized SQL queries and stored procedures rather than building the SQL statements dynamically.
• Avoid displaying the actual database errors or messages to the end users.

Conclusion

The best defense against SQL injection is to avoid creating SQL statements dynamically and adopt proper mechanisms to strip off the potentially malicious characters in the input data. Needless to say, a proper understanding of databases is a prerequisite for adopting such preventive measures. This article has discussed what SQL injection attacks are and the preventive measures that can be adopted to avoid such attacks. I welcome readers’ comments and suggestions.

References

Please check the following links for further references on this topic:

SQL Security

SQL Injection Walkthrough

Protecting Yourself from SQL Injection Attacks

Working extensively in Microsoft technologies for more than 10 years, Joydip Kanjilal is a Senior Project Leader for a company in a Hyderabad, India. His programming skills include C, C++, Java, C#, VB, VC++, ASP.NET, XML, and UML. He has worked with .NET and C# for more than five years. Reach Joydip at mailto:joydipkanjilal@yahoo.com.