Sql Server injection

Question

1.00/5 (1 vote)

See more:

SQL-Server

SQL-Server-2008

Hi,

anyone explain the sql injection with clear example.

Regards,
Gopi

Posted 18-Mar-14 4:29am

Gopijack89

Add a Solution

2 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Krunal Rohit · Answer 1 · 2014-03-18T04:53:00

Solution 1

SQL Injection Attacks and Some Tips on How to Prevent Them[^]
http://technet.microsoft.com/en-us/library/ms161953(v=sql.105).aspx[^]
http://www.w3schools.com/sql/sql_injection.asp[^]

SQL_injection - Examples[^]

-KR

Posted 18-Mar-14 4:53am

Krunal Rohit

Trajan McGill · Answer 2 · 2014-03-18T05:01:00

Let's say you are building a web application that sells music. You have a database table called Albums, and a web page that lets the user browse those albums. You might have a page populated with data from a query like this:

SELECT Title, Year, AlbumName, CoverArtURL FROM Albums

Great so far. Now what if you want the user to be able to search? Okay, so you add a search box, and when they submit it, you take the value they submitted, put it in a variable called UserSearchValue, and construct your query with code that looks something like this:

C#

query = "SELECT Title, Year, AlbumName, CoverArtURL FROM Albums"
if (UserSearchValue.Length > 0)
    query += " WHERE Title LIKE '%" + UserSearchValue + "%'"
// ... submit query

So if the user puts in "Greatest Hits", you will get this query:

SELECT Title, Year, AlbumName, CoverArtURL FROM Albums<br />
WHERE Title LIKE '%Greatest Hits%'

Still so far so good.

But what if the user does something unexpected? What if the user enters this search string:
"'; DROP TABLE Albums; --"

Now what is the resulting query that your application is submitting to the database server? It will look like this:

SELECT Title, Year, AlbumName, CoverArtURL FROM Albums<br />
WHERE Title LIKE '%'; DROP TABLE Albums; --%'

The user has managed to add an entire query to your query, telling your server to drop the Albums table, just by finishing off the original query, inserting (or "injecting") extra code, then commenting out everything following. This is quite a disaster! This is what is known as "SQL injection", the technique whereby a user can cause his own code to be executed on your server. I would hope that the dangers of users being able to make your server do whatever they want are pretty obvious. It is a complete breach of system security and integrity. One clever person can destroy everything, through the user interface that you created! This is why you will hear repeated again and again that you must use techniques such as parameterized queries and cleansing of input rather than ever letting user-submitted text directly become a part of your SQL queries.