Click here to Skip to main content
15,893,487 members
Search within:


Articles / Web Development / ASP.NET
 

SQL Injection and Cross-Site Scripting

Rate me:
Please Sign up or sign in to vote.
4.92/5 (144 votes)
17 Apr 2017CPOL14 min read 501.2K   3.9K   317  
An article on SQL Injection and Cross-Site Scripting with sample code in C#.
 
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data.Common;
using Microsoft.Practices.EnterpriseLibrary.Data;

public partial class Login : System.Web.UI.Page
{
    protected void Page_Load(object sender, EventArgs e)
    {
        string strQs = string.Empty;
        if (Request.QueryString["strErr"] != null)
        {
            strQs = Request.QueryString["strErr"] as string;
            lblDisplayErr.Text = strQs;
            HideLabel();
        }
        NoCache(); //remove cache
        ReadFromCookies();
    }

    void ReadFromCookies()
    {
        lblCookies.Text = string.Empty;
        if (Response.Cookies["email"] != null)
        {
            HttpCookie aCookie = Request.Cookies["email"];
            if (!string.IsNullOrEmpty(aCookie.Value))
            {
                lblCookies.Text = "Data from cookies:" + aCookie.Value;
            }
        }
        
    }

    //create cookies
    void FakeCookies()
    {
        Response.Cookies["email"].Value = txtUserName.Text;
        Response.Cookies["email"].Expires = DateTime.Now.AddDays(1);

        Response.Cookies["age"].Value = "22";
        Response.Cookies["age"].Expires = DateTime.Now.AddDays(1);
    }

    protected void btnLogin_Click(object sender, EventArgs e)
    {
        string sqlCommand = string.Empty;
        string strResult = string.Empty;
        object oEs;

        sqlCommand = "SELECT 'b' FROM dbo.tbl_users WHERE username='" + txtUserName.Text + "' AND password='"+ txtPassword.Text+ "'";

        Database db = Utilities.GetDatabase();

        using (DbCommand dbCommand = db.GetSqlStringCommand(sqlCommand))
        {
            oEs = db.ExecuteScalar(dbCommand);
        }

        if (oEs != null)
        {
            strResult = oEs as string;
        }

        if (!string.IsNullOrEmpty(strResult))
        {
            lblDisplayErr.Text = "Login successful";
            FakeCookies();
        }
        else
        {
            Response.Redirect("LoginPage.aspx?strErr=Invalid Username or Password");
        }
        HideLabel();

    }

    void NoCache()
    {
        Response.AddHeader("Cache-Control", "no-cache");
        Response.Expires = -1;
        Response.Cache.SetNoStore();
        Response.AddHeader("Pragma", "no-cache");

    }

    void HideLabel()
    {
        string strScript = string.Empty;
        string strCtrl = lblDisplayErr.ClientID;
        strScript = "<script>HideCtrl('" + strCtrl + "', '5000')</script>"; //hide after 3 sec
        Page.ClientScript.RegisterStartupScript(this.GetType(), Guid.NewGuid().ToString(), strScript, false);
    }

    protected void btnClear_Click(object sender, EventArgs e)
    {
        Server.Transfer("LoginPage.aspx");
    }

}

By viewing downloads associated with this article you agree to the Terms of Service and the article's licence.

If a file you wish to view isn't highlighted, and is a text file (not binary), please let us know and we'll add colourisation support for it.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Bryian Tan
Software Developer (Senior)
United States United States
I have over 10 years of experience working with Microsoft technologies. I have earned my Microsoft Certified Technology Specialist (MCTS) certification. I'm a highly motivated self-starter with an aptitude for learning new skills quickly.

Comments and Discussions

Permalink
Advertise
Privacy
Cookies
Terms of Use
Layout: fixed | fluid

Posted 16 Aug 2010

Article Copyright 2010 by Bryian Tan
Everything else Copyright © CodeProject, 1999-2024

Web02 2.8:2024-04-02:1