Click here to Skip to main content
Rate this: bad
Please Sign up or sign in to vote.
See more: ASP.NETSQL-Server
I have one question is that how to protection our with ms sql server 2005 site web application from sql injections and as special as how to protection web application with blind sql injection like 1'or'1'='1 ?
please explain me with description ,screenshots ,code please
Posted 22-Nov-12 19:50pm
Rate this: bad
Please Sign up or sign in to vote.

Solution 1

Milind_T at 23-Nov-12 2:06am
Comprehensive list.
Sergey Alexandrovich Kryukov at 23-Nov-12 11:52am
Good reading, a 5. --SA
__TR__ at 24-Nov-12 3:06am
Thank you :)
Rate this: bad
Please Sign up or sign in to vote.

Solution 2

I fail to see how this kind of exploit can be done using by injecting the code you show, but the solution protecting from SQL injection should be universal and protect from any kinds of injection. In other words, you should not allow the user to inject anything which could become a part of SQL code, but allow the user to provide only the data. Even if the user supply some string which can be interpreted as a fragment of SQL code, this string will be interpreted as string data, which would have no a way to sneak into code.
With ASP.NET, specifically, you should understand that a user can send any input which your server-side code-behind handler can accept, totally bypassing HTML forms or any other client-side mechanism, such as Ajax. Such bypassing can be done by complete simulation of such malicious client behavior by directly forming HTTP request. With .NET, for example, this is quite elementary, based on available BCL code.
You should never repeat the common mistake: composing an SQL statement out of string fragment using string concatenation or string.Format with user-supplied data. As the only mechanism of parametrization based on user input, parametrized statements should be used:[^].
Please see how it can be done with ADO.NET:[^],[^].
__TR__ at 23-Nov-12 3:21am
Nice explanation. My 5.
Sergey Alexandrovich Kryukov at 23-Nov-12 11:52am
Thank you. --SA
chetankhatri at 24-Nov-12 1:54am
thank you,i talk about blind sql injection like id=admin,password=1'or'1'='1
Sergey Alexandrovich Kryukov at 24-Nov-12 18:54pm
I got it, it is described in the same article I referenced, as well as mitigation. --SA
Rate this: bad
Please Sign up or sign in to vote.

Solution 3

I would add just one more link to what _TR_ added. And probably the most important one sql injection
This should answer all of your questions Smile | :)
__TR__ at 23-Nov-12 3:22am
Agree with you. Google is the most important link. +5

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Your Filters
0 Shai Vashdi 540
1 Tadit Dash 305
2 Sergey Alexandrovich Kryukov 250
3 Peter Leow 190
4 OriginalGriff 148
0 Sergey Alexandrovich Kryukov 9,395
1 OriginalGriff 5,473
2 Peter Leow 4,150
3 Maciej Los 3,540
4 Abhinav S 3,333

Advertise | Privacy | Mobile
Web01 | 2.8.140415.2 | Last Updated 23 Nov 2012
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Use
Layout: fixed | fluid