Click here to Skip to main content
Rate this: bad
good
Please Sign up or sign in to vote.
See more: ASP.NET SQL-Server
Hi..
I have one question is that how to protection our asp.net with ms sql server 2005 site web application from sql injections and as special as how to protection web application with blind sql injection like 1'or'1'='1 ?
please explain me with description ,screenshots ,code please
thanks
Posted 22-Nov-12 20:50pm
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 1

  Permalink  
Comments
Milind_T at 23-Nov-12 2:06am
   
Comprehensive list.
Sergey Alexandrovich Kryukov at 23-Nov-12 11:52am
   
Good reading, a 5.
--SA
__TR__ at 24-Nov-12 3:06am
   
Thank you :)
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 2

I fail to see how this kind of exploit can be done using by injecting the code you show, but the solution protecting from SQL injection should be universal and protect from any kinds of injection. In other words, you should not allow the user to inject anything which could become a part of SQL code, but allow the user to provide only the data. Even if the user supply some string which can be interpreted as a fragment of SQL code, this string will be interpreted as string data, which would have no a way to sneak into code.
 
With ASP.NET, specifically, you should understand that a user can send any input which your server-side code-behind handler can accept, totally bypassing HTML forms or any other client-side mechanism, such as Ajax. Such bypassing can be done by complete simulation of such malicious client behavior by directly forming HTTP request. With .NET, for example, this is quite elementary, based on available BCL code.
 
You should never repeat the common mistake: composing an SQL statement out of string fragment using string concatenation or string.Format with user-supplied data. As the only mechanism of parametrization based on user input, parametrized statements should be used:
http://en.wikipedia.org/wiki/SQL_injection#Parameterized_statements[^].
 
Please see how it can be done with ADO.NET:
http://msdn.microsoft.com/en-us/library/ms254953.aspx[^],
http://msdn.microsoft.com/en-us/library/yy6y35y8.aspx[^].
 
—SA
  Permalink  
Comments
__TR__ at 23-Nov-12 3:21am
   
Nice explanation. My 5.
Sergey Alexandrovich Kryukov at 23-Nov-12 11:52am
   
Thank you.
--SA
chetankhatri at 24-Nov-12 1:54am
   
thank you,i talk about blind sql injection like id=admin,password=1'or'1'='1
Sergey Alexandrovich Kryukov at 24-Nov-12 18:54pm
   
I got it, it is described in the same article I referenced, as well as mitigation.
--SA
Rate this: bad
good
Please Sign up or sign in to vote.

Solution 3

I would add just one more link to what _TR_ added. And probably the most important one
 
http://www.google.co.in/search?q=prevent sql injection
 
This should answer all of your questions Smile | :)
Milind
  Permalink  
Comments
__TR__ at 23-Nov-12 3:22am
   
Agree with you. Google is the most important link. +5

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



Advertise | Privacy | Mobile
Web04 | 2.8.1411023.1 | Last Updated 23 Nov 2012
Copyright © CodeProject, 1999-2014
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100