SQL Injection and Cross-Site Scripting

Bryian Tan

Rate me:

4.92/5 (144 votes)

17 Apr 2017CPOL14 min read

501.7K

3.9K

317

An article on SQL Injection and Cross-Site Scripting with sample code in C#.

Sample_SQLInjection_XSS.zip
- Sample_SQLInjection_XSS
  - badhost
    - App_Data
      - CookieJar.txt
    - CookieMonster.aspx
    - CookieMonster.aspx.cs
    - Default.aspx
    - Default.aspx.cs
    - MaliciousScript.js
    - web.config
  - Sample
    - AddComment.aspx
    - AddComment.aspx.cs
    - App_Code
      - Utilities.cs
    - App_Data
    - App_Themes
      - Theme1
        
        SkinFile.skin
    - Bin
      - Microsoft.Practices.EnterpriseLibrary.Common.dll
      - Microsoft.Practices.EnterpriseLibrary.Data.dll
      - Microsoft.Practices.ObjectBuilder.dll
    - css
      - StyleSheet.css
      - Web.config
    - Default.aspx
    - Default.aspx.cs
    - images
      - 127352400819.gif
    - JavaScriptFunctionInjection.aspx
    - JavaScriptFunctionInjection.aspx.cs
    - js
      - JScript.js
    - ListComments.aspx
    - ListComments.aspx.cs
    - LoginPage.aspx
    - LoginPage.aspx.cs
    - MasterPage.master
    - MasterPage.master.cs
    - web.config
  - Sample_SQLInjection_XSS.sln
  - Sample_SQLInjection_XSS.suo
  - TestDBSetup.sql

using System;
using System.Collections.Generic;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using Microsoft.Practices.EnterpriseLibrary.Data;
using System.Data.Common;

public partial class JavaScriptFunctionInjection : System.Web.UI.Page
{
    public string sValue = string.Empty;

    protected void Page_Load(object sender, EventArgs e)
    {
    }

    protected void Button2_Click(Object sender, CommandEventArgs e)
    {
        string formValue = Request.Form["Text1"] as string;
        string formValue2 = Request.Form["Text2"] as string;

        if (e.CommandArgument == "single")
        {

            if (!string.IsNullOrEmpty(formValue))
            {
                sValue = Server.HtmlEncode(formValue.Replace("'", "''"));
            }
        }
        else
        {
            if (!string.IsNullOrEmpty(formValue2))
            {
                sValue = formValue2; //quote
            }
        }
    }
}

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Written By

Bryian Tan

Software Developer (Senior)

United States

I have over 10 years of experience working with Microsoft technologies. I have earned my Microsoft Certified Technology Specialist (MCTS) certification. I'm a highly motivated self-starter with an aptitude for learning new skills quickly.

SQL Injection and Cross-Site Scripting

License

Comments and Discussions