problem with sql injection

Question

1.00/5 (2 votes)

See more:

i have a problem with text box.

when user write something in text boxes, it will save it but sql query or bad text or some thing automatically injected in database , i dint know what is happening to it...... it saves false data in database.

2.i am thinking that sql was automatically injected by the format of text.

can any 1 provide me solution for it..

i cant restrict my text box for special characters .

this is why i am facing so many problems.

Posted 4-Sep-12 21:08pm

syedaliaizazuddin

Add a Solution

Comments

pradiprenushe 5-Sep-12 6:36am

Can you give ex?
What had you tried to insert & what was in the database?

[no name] 5-Sep-12 14:50pm

How are you saving the data? Are you using parameterized queries?

syedaliaizazuddin 6-Sep-12 0:30am

no bro.....

5 solutions

Solution 5

SQL Injection is a one kind of attack where the attacker generates malicious code and send into SQL query to access database or system.

For more please visit..

http://cybarlab.blogspot.com/2013/02/what-is-sql-injection.html

Posted 5-Feb-13 0:23am

Rasadul Alam Rashed

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Jafaripur · Accepted Answer · 2012-09-05T00:23:00

Solution 2

Just Use Stored Procedure In Insert,Update,Select On Database .

Posted 5-Sep-12 0:23am

Jafaripur

Bryian Tan · Accepted Answer · 2012-09-05T07:56:00

Hello,

These articles might able to help you identify the vulnerabilities. Make sure you sanitize the user input on the server side also ,don't depends only on client side validation (JavaScript). Using Stored Procedure will not 100% shield your application from the vulnerability. It depends on how you use it. if you have a Stored Procedure with dynamic query that might open to SQL injection as well.

http://msdn.microsoft.com/en-us/library/ff648339.aspx[^]

SQL Injection and Cross-Site Scripting[^]

http://www.mikesdotnetting.com/Article/113/Preventing-SQL-Injection-in-ASP.NET[^]

http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx[^]

Dasaradhi_r · Accepted Answer · 2012-09-04T21:11:00

Solution 1

Restrict all the special characters (whichever are troubling you) from entering in to the text box. You can find many JavaScript functions which can help you in restricting the special characters.

Posted 4-Sep-12 21:11pm

Dasaradhi_r

Comments

syedaliaizazuddin 5-Sep-12 4:36am

i have teld that i cant restrict it..... mention above in 2nd last line.
thanksh for ur answer

Dasaradhi_r 5-Sep-12 4:40am

May I know why is it not possible? So that I will be able to understand the problem better

syedaliaizazuddin 6-Sep-12 0:33am

because its compant requirement...... they did not allowing me to do that.... im interne .... so thatz why they are not trusting me , i think so......

if this is not the problem i will restrict all speacial charachter , there are so many artical on speacial charachter restriction....... but their is any way without restricting...

Anele Ngqandu · Accepted Answer · 2012-09-05T00:39:00

Solution 3

I agree with Jafaripur, use store procedures and also maybe try to create a separate project with classes "Class Library" where you will create methods with your SQL statements,then call the methods in your aspx pages and see how will that work.

Posted 5-Sep-12 0:39am

Anele Ngqandu