NetSnow Moderator
Number of posts : 24 Age : 44 Registration date : 2006-11-13
| Subject: Stop SQL Injection Attacks Before They Stop You Wed Dec 03, 2008 10:39 am | |
| First, I'm not a database expert. I just want to share a good article of SQL injection. Most of developers happened to forget to avoid sql injection especially while we are trying to meet tight deadlines. It happened to me frequently Anyway,hope it's worth to spare your time reading this article. The hacker breaks into the system by injecting malformed SQL into the query. This particular hack works because the executed query is formed by the concatenation of a fixed string and values entered by the user, as shown here: string strQry = "SELECT Count(*) FROM Users WHERE UserName='" + txtUser.Text + "' AND Password='" + txtPassword.Text + "'"; In the case of the user entering a valid user name of "Paul" and a password of "password", strQry becomes SELECT Count(*) FROM Users WHERE UserName='Paul' AND Password='password' But when the hacker enters ' Or 1=1 the query now becomes: SELECT Count(*) FROM Users WHERE UserName= Or 1=1 --' AND Password= Because a pair of hyphens designate the beginning of a comment in SQL, the query becomes simply: SELECT Count(*) FROM Users WHERE UserName= Or 1=1 The expression 1=1 is always true for every row in the table, and a true expression or'd with another expression will always return true. So, assuming there's at least one row in the Users table, this SQL will always return a nonzero count of records. Not all SQL injection attacks involve forms authentication. All it takes is an application with some dynamically constructed SQL and untrusted user input. Given the right conditions, the extent of damage caused by such an attack may be limited only by the extent of the hacker's knowledge of the SQL language and the database configuration. The whole ariticle including how to prevent sql injection is here; http://msdn.microsoft.com/en-us/magazine/cc163917.aspx
Regards, netsnow | |
|