How to avoid script database hacking?

[RA]

If I get the user info from an aso.net, and based on that execute some query
against the database, how can I avoid issues like this one:

Client entered in user name text box the following: "new;delect from users"

On server side I have:

sql = "select * from users where username = " + txtUser.Text;


Thanks,
Ronen

 

[Wes Jackson]

You should always check for dodgy characters in the string and use stored
procedures with parameters.

 

[RA]

How would a store procedure help if the parameter passed to it is the input
from the text box?

 

[Ruslan Shlain]

You can also Use Stored Procs

You should always check for dodgy characters in the string and use stored
procedures with parameters.

 

[lostinet]

SqlCommand cmd=new SqlCommand("select * from employees where
employeeid=@id",conn);
cmd.Parameters.Add("@id",TextBox1.Text);
cmd.Execute...

 

[Hans Kesting]

How would a store procedure help if the parameter passed to it is the input
from the text box?

In the stored procedure you don't build a sqlstring to execute, but supply a
parameter
as "placeholder" of the value:
select * from mytable where name = @nameparam

If you supply a value 'new;delete from users' then the table is searched
for that exact value. The "delete" part is never treated as a command.

Hans Kesting

 

[Wes Jackson]

They are also faster when executing against SQL as the code is already
compiled.

Double bonus!

 

[Patrice Scribe]

A Google search such as "sql code injection" will retrieve a number of
detailed papers.

In short you could :
- validate your parameters
- use parameterized queries
- use stored procedures
- others ?

Patrice

 

[Peter Row]

Hi,

One thing that using an SP doesn't necessarily guard against is:

What happens if an SP parameter is Text and you pass in a comma separated
list of numbers,
which you then use in the SP like:

[some sql here - to do a temp table]

EXEC('SELECT FieldX, FieldY INTO #Temp FROM TableX WHERE TableID IN(' +
@Param + ')')

[some more sql here]

Admittedly the person doing the hack would have to know what the SP was
doing in order to
ensure proper SQL syntax, but, for example, a disgruntled employee might
know this and wreck
havoc.

For a comma separated list of numbers I got around this by using a regular
expression to ensure
that the value I would use only contained numbers, a comma or a space
anything else would be
discarded.

Regards,
Peter

 

[girlie hinggo]

hi! goodmorning can you send me on how to avoid computer hacking?

 

[Brian Henry]

ASP.NET has special features to automaticly catch things like people
embedding ;DELETE FROM; and other trick SQL commands that would normally be
"hacked" on web sites

 

[Mark Rae]

hi! goodmorning can you send me on how to avoid computer hacking?

Make sure your computer is secure...

Seriously, can you be a bit more specific...?

 

[Kevin Spencer]

Turn it off.

--
;-),
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.