Click here to Skip to main content
11,921,479 members (65,423 online)
Rate this:
Please Sign up or sign in to vote.
See more: ASP.NET SQL-Server
I have one question is that how to protection our with ms sql server 2005 site web application from sql injections and as special as how to protection web application with blind sql injection like 1'or'1'='1 ?
please explain me with description ,screenshots ,code please
Posted 22-Nov-12 20:50pm
Rate this: bad
Please Sign up or sign in to vote.

Solution 1

Milind_T 23-Nov-12 2:06am
Comprehensive list.
Sergey Alexandrovich Kryukov 23-Nov-12 11:52am
Good reading, a 5.
__TR__ 24-Nov-12 3:06am
Thank you :)
Rate this: bad
Please Sign up or sign in to vote.

Solution 2

I fail to see how this kind of exploit can be done using by injecting the code you show, but the solution protecting from SQL injection should be universal and protect from any kinds of injection. In other words, you should not allow the user to inject anything which could become a part of SQL code, but allow the user to provide only the data. Even if the user supply some string which can be interpreted as a fragment of SQL code, this string will be interpreted as string data, which would have no a way to sneak into code.

With ASP.NET, specifically, you should understand that a user can send any input which your server-side code-behind handler can accept, totally bypassing HTML forms or any other client-side mechanism, such as Ajax. Such bypassing can be done by complete simulation of such malicious client behavior by directly forming HTTP request. With .NET, for example, this is quite elementary, based on available BCL code.

You should never repeat the common mistake: composing an SQL statement out of string fragment using string concatenation or string.Format with user-supplied data. As the only mechanism of parametrization based on user input, parametrized statements should be used:[^].

Please see how it can be done with ADO.NET:[^],[^].

__TR__ 23-Nov-12 3:21am
Nice explanation. My 5.
Sergey Alexandrovich Kryukov 23-Nov-12 11:52am
Thank you.
chetankhatri 24-Nov-12 1:54am
thank you,i talk about blind sql injection like id=admin,password=1'or'1'='1
Sergey Alexandrovich Kryukov 24-Nov-12 18:54pm
I got it, it is described in the same article I referenced, as well as mitigation.
Rate this: bad
Please Sign up or sign in to vote.

Solution 3

I would add just one more link to what _TR_ added. And probably the most important one sql injection

This should answer all of your questions Smile | :)
__TR__ 23-Nov-12 3:22am
Agree with you. Google is the most important link. +5

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
0 OriginalGriff 553
1 Dave Kreskowiak 245
2 phil.o 160
3 KrunalRohit 134
4 Sergey Alexandrovich Kryukov 132
0 OriginalGriff 6,951
1 KrunalRohit 4,530
2 Sergey Alexandrovich Kryukov 3,171
3 George Jonsson 2,840
4 Suvendu Shekhar Giri 2,181

Advertise | Privacy | Mobile
Web01 | 2.8.151120.1 | Last Updated 23 Nov 2012
Copyright © CodeProject, 1999-2015
All Rights Reserved. Terms of Service
Layout: fixed | fluid

CodeProject, 503-250 Ferrand Drive Toronto Ontario, M3C 3G8 Canada +1 416-849-8900 x 100