Click here to Skip to main content
Click here to Skip to main content
Technical Blog

Tagged as

ADO.NET – How to Prevent SQL Injection Attack?

, 24 Feb 2014 CPOL
Rate this:
Please Sign up or sign in to vote.
This post goes over the prevention of SQL injection attack in ADO.NET

Introduction

In the last articles on ADO.NET, we have discussed about SQL injection attack. You can read those articles here. In this article, we will go over prevention of SQL injection attack in ADO.NET.

We can avoid SQL injection attacks in two ways:

  1. Using parameterized queries
  2. Using stored procedures

Let’s examine one by one. The tblProductInventory table which we have used in the previous article is as follows:

tblProductInventory

As we know, the following lines of code were causing SQL injection attack.

string CS = ConfigurationManager.ConnectionStrings["DBCS"].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{
string Command=“Select * from tblProductInventory where ProductName like ‘”+TextBox1.Text     + “%’”;
    SqlCommand cmd = new SqlCommand(Command, con);
    con.Open();
    GridView1.DataSource = cmd.ExecuteReader();
    GridView1.DataBind();
}

Using Parameterized Queries

The above code can easily be rewritten using parameterized queries to prevent SQL injection attack. 

string CS = ConfigurationManager.ConnectionStrings["DBCS"].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{
// Parameterized query. @ProductName is the parameter
  string Command = “Select * from tblProductInventory _
  where ProductName like @ProductName”;SqlCommand cmd = new SqlCommand(Command, con);
// Provide the value for the parameter
    cmd.Parameters.AddWithValue(“@ProductName”, TextBox1.Text + “%”);
    con.Open();
    GridView1.DataSource = cmd.ExecuteReader();
    GridView1.DataBind();
}

Notice that the query now uses parameter @ProductName. The value for this parameter is then provided using AddWithValue() method. The parameter is associated with the command object using Parameters collection property of the command object.

Now if we type the following input into the TextBox, the entire content of the TextBox is treated as a value for the parameter @ProductName, not as a separate SQL statement. Thereby, it removes SQL injection attack.

i’; Delete from tblProductInventory –

Using Stored Procedures

SQL injection can also be prevented using stored procedures. So first, let’s write a stored procedure that returns the list of products. This stored procedure takes an input parameter @ProductName.

CREATE PROCEDURE spGetProductsByName
@ProductName nvarchar(50)
AS
BEGIN
SELECT * FROM tblProductInventory 
WHERE ProductName LIKE @ProductName + ‘%’
END

To test this procedure, execute the following command in SQL Server Management Studio (SSMS).

EXECUTE spGetProductsByName ‘ip’

As a result of the above query, all the products whose name starts with ‘ip’ will be returned.

Now, let’s rewrite the code to use stored procedure spGetProductsByName.

string CS = ConfigurationManager.ConnectionStrings["DBCS"].ConnectionString;
using (SqlConnection con = new SqlConnection(CS))
{
// The command that we want to execute is a stored procedure,
// so specify the name of the procedure as cmdText
    SqlCommand cmd = new SqlCommand(“spGetProductsByName”, con);
// Specify that the T-SQL command is a stored procedure
    cmd.CommandType = System.Data.CommandType.StoredProcedure;
// Associate the parameter and it’s value with the command object
    cmd.Parameters.AddWithValue(“@ProductName”, TextBox1.Text + “%”);
    con.Open();
    GridView1.DataSource = cmd.ExecuteReader();
    GridView1.DataBind();
}

The above code as well will treat the entire content of the TextBox as a value for @ProductName and hence avoid SQL injection attack.

So the main point here to ponder is, always use parameterized queries or stored procedures to avoid SQL injection attacks.

Reference: Arun Ramachandran (http://BestTEchnologyBlog.Com)

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Arun Ramachandran India
Software Developer
India India
Arun Ramachandran is a Software Engineer having hands on experience in different Microsoft Technologies who is presently working in Experion Technologies, India. He has written over 95 articles on the subject on his blog at http://BestTEchnologyBlog.com. Along with 3 years of hands on experience he holds a Master of Computer Applications degree from Cochin University of Science & Technology (CUSAT).

Comments and Discussions

 
Generalgreatt.. thanks. Pinmembercempreng25-Feb-14 20:46 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Terms of Use | Mobile
Web01 | 2.8.150129.1 | Last Updated 24 Feb 2014
Article Copyright 2014 by Arun Ramachandran India
Everything else Copyright © CodeProject, 1999-2015
Layout: fixed | fluid