asp:Feature
LANGUAGES:C#
ASP.NETVERSIONS: 2.0
Prevent SQL Injection Attacks
Is Your Data Safe from Intruders?
By Joydip Kanjilal
Although the awareness is increasing day by day, a SQLinjection attack still poses a serious security vulnerability. This is aserious concern for application developers as it tends to break into, alter, ordamage critical data. This is a technique that takes advantage of non-validateduser input data to inject SQL statements dynamically into the existing ones forexecution, and, hence, poses a severe security threat to the supposedly securesystems. The best way to prevent SQL injection is to use parameterized queriesand stored procedures rather than building and executing SQL statementsdynamically. This article discusses what SQL injection is all about, as well asthe suggested solutions or best practices for how we can combat these attacksand secure our important data.
What Is SQL Injection?
SQL injection is security vulnerability, a serioussecurity threat that enables an attacker to execute unauthorized SQL commandsby embedding them in the SQL statements by taking advantage of non-validatedinput in Web applications that attempt to build SQL queries dynamically.
When Does It Occur?
This typically happens in situations where yourapplication accepts user input and builds SQL statements dynamically without aproper input validation mechanism. How? Let?s assume there is a login formwhere the user needs to fill in the user name and the password and then clickthe Submit button to log in to an application. Suppose the user fills out theform as shown below:
Login: ? OR ??=?
Password: ? OR ??=?
The resultant query is:
SELECT userName FROM Users WHERE userName = '' OR ''='' ANDPassword = '' OR ''=''
This, of course, will always return true.
A smart intruder can inject SQL statements into a SQLquery that is built dynamically in your application and can turn the query intothe form, as shown below:
SELECT * FROM products WHERE productID = 1 or 1=1
This would always return true, irrespective of the valueof the product id. Hence, your data is under threat!
How Do I Prevent It?
The following points highlight the effective measures thatcan be adopted to prevent SQL injection attacks:
- Prevent unauthorized access to the database andlimit the permissions that are granted to the database user account that theapplication uses.
- Validate user input properly before using it,stripping off the potentially malicious characters.
- Always use parameterized SQL queries and storedprocedures rather than building the SQL statements dynamically.
- Avoid displaying the actual database errors ormessages to the end users.
Conclusion
The best defense against SQL injection is to avoidcreating SQL statements dynamically and adopt proper mechanisms to strip offthe potentially malicious characters in the input data. Needless to say, aproper understanding of databases is a prerequisite for adopting suchpreventive measures. This article has discussed what SQL injection attacks areand the preventive measures that can be adopted to avoid such attacks. Iwelcome readers? comments and suggestions.
References
Please check the following links for further references onthis topic:
SQL Security
SQL InjectionWalkthrough
Protecting Yourselffrom SQL Injection Attacks
Working extensively in Microsoft technologies for more than 10years, Joydip Kanjilal is a SeniorProject Leader for a company in a Hyderabad,India. Hisprogramming skills include C, C++, Java, C#, VB, VC++, ASP.NET, XML, and UML.He has worked with .NET and C# for more than five years. Reach Joydip at mailto:joydipkanjilal@yahoo.com.