Sql Injection -Security Threat

Question

3.50/5 (2 votes)

See more:

I have an urgent requirement that has to be implemented with regard to sql Injections.
My application went for security scanning process and found few security threats with regard to sql injection. we need your valuable support and guidelines to proceed further.
Project Details: Windows application, VS2008
Data Base: Sql Server 2008.

Listed out the issues type and its details elaborately:

Threat 1: During connection initialization

C#

SqlConnection  connection = new SqlConnection(connectionString);

At this line there is a chance of security threat. we are getting the connection string parameter from web.config as below

C#

private static readonly string connectionString = ConfigurationManager.AppSettings["ConnectionString"];

Flaw Information
Type: Untrusted Initialization
Issue: External Control of System or Configuration Setting
Attack Vector: system_data_dll.System.Data.SqlClient.SqlConnection.!newinit_0_1
Function: int ExecuteNonQuery(string, System.Data.CommandType, string,
System.Data.SqlClient.SqlParameter[])

Threat 2 :
Type: SQL Injection
Issue: Improper Neutralization of Special Elements used in an SQL Command ('SQLInjection')
Attack Vector: system_data_dll.System.Data.IDbCommand.ExecuteNonQuery
Function: int FetchSPExecutedReturnValue(string, System.Collections.IDictionary)
Threat Line:

C#

1. command.ExecuteNonQuery();

There are few more similar threats same as above. pointed out the threat line:

C#

2.  dataReader = command.ExecuteReader();

C#

3.  adapter.Fill(ds);

C#

4. dataReader = cmd.ExecuteReader(CommandBehavior.CloseConnection);

One more thing like we are not at all passing any queries to DB. All the inputs are passed as a parameters.
I am not sure what kind of threat is there with this ( executeNonQuery(), Fill(dataset) and Connection initialization) and how to defend from malicious code/vulnerabilities.

Please help me out....

Posted 27-Feb-14 20:52pm

Purushotham Agaraharam

Add a Solution

Comments

george4986 28-Feb-14 5:01am

for eg

if ur select query for login is
'select count(*) as val from usertable where user_id=@username and pwd=@userpwd'

then
if user enters on fields like below
@username=xyz
@userpwd=;drop table usertable

the query after ';' will executed as a new statement and it deletes table usertable.

it is just a simple eg. if we use a stored procedure it won't work

there are many ways.good luck

Purushotham Agaraharam 28-Feb-14 5:21am

hi,
I have one more query like is the following methods are safe from sql injection if we are not passing any hard coded values and queries to database.we are sending all quries as store procedures.
SqlConnection connection = new SqlConnection(connectionString);
command.ExecuteNonQuery();
dataReader = command.ExecuteReader();
adapter.Fill(ds);
dataReader = cmd.ExecuteReader(CommandBehavior.CloseConnection);

if an attacker tries to attack from the above lines how can they do?

george4986 28-Feb-14 5:46am

check the second link in solution

Nishith Jain 10-Jun-15 0:38am

What did you do to fix the 'untrusted initialization' issue?

Nishith Jain 11-Jun-15 7:33am

I am also stuck in the same situation. Please do let me know what did you do to fix the Untrusted initialization issue.
Thanks in advance.

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

george4986 · Answer 1 · 2014-02-27T21:45:00

Solution 1

refer this link
SQL Injection Attacks and Some Tips on How to Prevent Them[^]

http://www.defcon.org/images/defcon-18/dc-18-presentations/Alonso-Palazon/DEFCON-18-Alonso-Palazon-String-wp.pdf[^]

Posted 27-Feb-14 21:45pm

george4986

Updated 27-Feb-14 23:46pm

v2

Purushotham Agaraharam · Answer 2 · 2014-02-27T22:51:00

Solution 2

hi george,
Thanks for your quick reply....I went through your link its bit generalized on sql injection.
Can you help me out in the above situation.In what ways can we attack and how we can defend the vulnerabilities.
Thanks,
purushotham

Posted 27-Feb-14 22:51pm

Purushotham Agaraharam

Comments

Maciej Los 28-Feb-14 5:53am

This is not an answer. Please, delete it to avoid down-voting!

Thava Rajan · Answer 3 · 2014-02-28T00:34:00

it seems you are try to execute a string concatenated query
say like this

VB

using cmd as new sqlcommand()
    cmd.commandtext ="Select * from Table where Field1 ='"+ Fieldvalue1 +"'"
    cmd.Activeconnection = con
    Datareader =cmd.ExecuteReader()
End using

avoid direct concatenation in any of the query just send it with some parameters it will surely avoid the risk
this is just a guess may be your code different than mine try to avid the concatenation as much as possible

for further reference just see this http://msdn.microsoft.com/en-us/library/ff648648.aspx[^]