asp:Feature
LANGUAGES:
C#
ASP.NET
VERSIONS: 2.0
Prevent SQL Injection Attacks
Is Your Data Safe from Intruders?
By Joydip Kanjilal
Although the awareness is increasing day by day, a SQL
injection attack still poses a serious security vulnerability. This is a
serious concern for application developers as it tends to break into, alter, or
damage critical data. This is a technique that takes advantage of non-validated
user input data to inject SQL statements dynamically into the existing ones for
execution, and, hence, poses a severe security threat to the supposedly secure
systems. The best way to prevent SQL injection is to use parameterized queries
and stored procedures rather than building and executing SQL statements
dynamically. This article discusses what SQL injection is all about, as well as
the suggested solutions or best practices for how we can combat these attacks
and secure our important data.
What Is SQL Injection?
SQL injection is security vulnerability, a serious
security threat that enables an attacker to execute unauthorized SQL commands
by embedding them in the SQL statements by taking advantage of non-validated
input in Web applications that attempt to build SQL queries dynamically.
When Does It Occur?
This typically happens in situations where your
application accepts user input and builds SQL statements dynamically without a
proper input validation mechanism. How? Let s assume there is a login form
where the user needs to fill in the user name and the password and then click
the Submit button to log in to an application. Suppose the user fills out the
form as shown below:
Login: OR =
Password: OR =
The resultant query is:
SELECT userName FROM Users WHERE userName = '' OR ''='' AND
Password = '' OR ''=''
This, of course, will always return true.
A smart intruder can inject SQL statements into a SQL
query that is built dynamically in your application and can turn the query into
the form, as shown below:
SELECT * FROM products WHERE productID = 1 or 1=1
This would always return true, irrespective of the value
of the product id. Hence, your data is under threat!
How Do I Prevent It?
The following points highlight the effective measures that
can be adopted to prevent SQL injection attacks:
- Prevent unauthorized access to the database and
limit the permissions that are granted to the database user account that the
application uses.
- Validate user input properly before using it,
stripping off the potentially malicious characters.
- Always use parameterized SQL queries and stored
procedures rather than building the SQL statements dynamically.
- Avoid displaying the actual database errors or
messages to the end users.
Conclusion
The best defense against SQL injection is to avoid
creating SQL statements dynamically and adopt proper mechanisms to strip off
the potentially malicious characters in the input data. Needless to say, a
proper understanding of databases is a prerequisite for adopting such
preventive measures. This article has discussed what SQL injection attacks are
and the preventive measures that can be adopted to avoid such attacks. I
welcome readers comments and suggestions.
References
Please check the following links for further references on
this topic:
SQL Security
SQL Injection
Walkthrough
Protecting Yourself
from SQL Injection Attacks
Working extensively in Microsoft technologies for more than 10
years, Joydip Kanjilal is a Senior
Project Leader for a company in a Hyderabad,
India. His
programming skills include C, C++, Java, C#, VB, VC++, ASP.NET, XML, and UML.
He has worked with .NET and C# for more than five years. Reach Joydip at mailto:joydipkanjilal@yahoo.com.