rulururu

post SQL Injection Prevention

January 14th, 2008

Filed under: Database, Internet, Security — Kai @ 8:53 am

Everybody knows well about the issue of SQL injections.
True, but why is SQL injection still occurring? Isn’t everyone validating all user input these days?

For example say you have a logon form that accepts a user name and password. Once authenticated against the database, the application then sets a session value, or some other token for allowing the user to access the protected data.

Take a logon form for example, here you have two basic form elements, a textbox for accepting a user name, and a password box for the password.

<form action="admin.aspx"> 
<input name="username" type="textbox" /> 
<input name="password" type="password" />
<input type="submit" />

The code behind might be something like

String sQuery = "SELECT COUNT(*) FROM Users WHERE UserName = '"+username.Text+"' AND Password = '"+password.Text+"'";
SQLCommand cmd = new SQLCommand(sQuery, Connection);
int n = cmd.ExecuteScalar();

When entering “‘ or 0=0 –” into the username field the query looks like that:

SELECT COUNT(*) FROM Users WHERE UserName = '""' OR 0=0 --

which always would return the number of users.

As you can it’s just minor effort to see data of a database you are not supposed to see.

But also more bad things can happen to your database for example the following can kill lots of data.

'; drop table users --

Also the report of errorcodes can be very helpful for attackers. There’s a whole bunch of lists on the net what error code is related to which area in the server/database structure.

sQuery = "SELECT COUNT(*) FROM Users WHERE UserName = '@username' AND Password = '@password'";
SQLCommand cmd = new SqlCommand(sQuery, Connection);
cmd .Parameters.Add ("@username", SqlDbType.VarChar).Value = username.Text;
cmd .Parameters.Add ("@password", SqlDbType.VarChar).Value = password.Text;
cmd .Parameters.Add ("@return", SqlDbType.Int).Direction = ParameterDirection.ReturnValue;
int n = cmd.ExecuteScalar();

This is only one way the secure your web apps - by passing parameters you avoid many types of SQL injection attacks.
Finally, ensure you provide very little information to a potential attacker when an error occurs.

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URI

Leave a comment

ruldrurd
Powered by WordPress, Content and Design by Kai Bellmann
Entries (RSS) and Comments (RSS)