SQL Injection

Courtesy: uber:ASP.Net

By now you’re probably familiar with the risk of SQL injection attacks. Just to refresh your memory, this is when a naughty user of your site gets actual SQL statements to execute by way of a form on your page. If you concatenate strings to form SQL commands, you’re at risk. Consider this spot of code:

string sql = "SELECT * FROM User WHERE Name = '" + NameTextBox.Text +
   "' AND Password = '" + PasswordTextBox.Text + "'";

Seems innocent enough, right? If someone knows that your code looks like that, you could be in a world of hurt. For example, if the user entered the following in the NameTextBox:

' OR 1=1 --

The actual SQL statement would be:

SELECT * FROM User WHERE Name = '' OR 1=1 --' AND Password = ''

The important part is the double dash, which comments out the rest of the statement. The 1=1 part adds a condition to the select that will include every row, because, well, 1 always equals 1. If you were using this to authenticate a user, they can enter anything and be logged in.

But it could be much worse. If your database connection string is using some privileged account (like, God forbid, the sa account in SQL Server), the naughty user could do more damage by putting a semi-colon (to make the command compound) followed by some DROP command to nuke your entire database, or execute a command line like “format d:” or something equally sinister. That wouldn’t be much fun.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s