SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution. Any procedure that constructs SQL statements should be reviewed for injection weakness because SQL Server will execute all syntactically valid queries that it receives.

How to apply Sql Injection?

Example1: The following script shows a simple SQL injection. The script builds an SQL query by concatenating hard-coded strings together with a string entered by the user in textbox:

string sql = "select * from product where product_name = '" + TextBox1.Text + "'";

The user is prompted to enter the name of a product. If user enters Keyboard, the query assembled by the script looks similar to the following:

SELECT * FROM product WHERE product_name = 'Keyboard'

However, assume that the user enters the following:

Keyboard'; drop table product--

In this case, the following query is assembled by the script:

SELECT * FROM product WHERE product_name = 'Keyboard'; drop table product--

The semicolon (;) denotes the end of one query and the start of another. The double hyphen (--) indicates that the rest of the current line is a comment and should be ignored. If the modified code is syntactically correct, it will be executed by the server. When SQL Server processes this statement, SQL Server will first select all records in product where product_name is Keyboard. Then, SQL Server will drop product table.

Example2: The request sent to the database to retrieve the product's name and quantity is implemented by the following SQL statement.

            SELECT product_name, product_quantity 
        FROM Products
        WHERE product_id = product_id

Typically, Web applications use string queries, where the string contains both the query itself and its parameters. The following example demonstrates an ASP code that generates a SQL query.


        SELECT product_name, product_quantity FROM Products
        WHERE product_id = “& Request.QueryString("ProductID")

When a user enters the following URL:


The corresponding SQL query is executed:

         SELECT product_name, product_quantity 

        FROM Products
        WHERE product_id = 123

This condition would always be true and all ProductName and ProductQuantity pairs are returned. The attacker can manipulate the application even further by inserting malicious commands. For example, an attacker can request the following URL:

     http://www.mydomain.com/products/products.aspx?productid=123;       DROP

     TABLE Products

In this example the semicolon is used to pass the database server multiple statements in a single execution. The second statement is "DROP TABLE Products" which causes SQL Server to delete the entire Products table.

So for preventing SQL injection you can reject input that contains the following characters:


  Modified On Sep-18-2014 01:23:58 PM

Leave Comment