Definition:
- If you take user input through a
web page and insert it into a SQL Database, there's a chance that you have left
yourself wide open for a security issue known as SQL Injection.
Injection
usually occurs when you ask a user for input, like their name, and instead of a
name they give you a SQL statement that you will unknowingly run on your
database.
Definition:-
1) A successful SQL injection attack
enables a malicious/harmful user to execute commands in your application's
database by using the privileges granted to your application's login.
2) The problem is more severe if your
application uses an over-privileged account to connect to the database. For
example, if your application's login has privileges to eliminate a database,
then without adequate safeguards, an attacker might be able to perform this
operation.
Common vulnerabilities that make your data access
code susceptible to SQL injection attacks include:
- Weak input validation.
- Dynamic
construction of SQL statements without the use of type-safe parameters.
- Use of
over-privileged database logins.
SQL INJECTION example:-
Step 1:- firstly you
will create a website and database in Visual Studio for practically
implementing the SQL INJECTION. This is the weakest authentication across the
security
Step 2:- steps to be
used to create the database
Menuàviewàserver
exploreràdata connectionàright
clickàcreate new Sql Databaseàspecify
the name of server such as sandy\sqlexpress and name of database in database
box
Step 3:- steps to be
used to create a website in Visual Studio
MenuàfileànewàwebsitesàAsp.net
empty website (C#)àOKàafter
that add default.aspx pages along with default.aspx.cs page
Step 4:- After making
the website and database you will make the connectivity between them via web
config file, which is available in website
Syntax of connectivity of website with database in
web, config file
<connectionStrings>
<add name="cn" connectionString="server=sandy\sqlexpress;database=student;integrated
security=true"/>
</connectionStrings>
Step 5:- After making
the connectivity of database with website, there is a need of webpage named as
default.aspx
Step 6:- On
default.aspx page drag and drop two textboxes one for username and second for
password and one button and get all the controls includes HTML and server
controls in the ToolBox
Step 7:- And after
clicking the button named as sign in created on default.aspx page
And
get the default. aspx.cs page. When
you get the aspx.cs page after
activating the event of the sigin button, this technique is known as code behind technique
Step 8:-
Add mainly three namespaces at the
top of the default.aspx.cs
Using System.Data;
Using System.Data.SqlClient;
Using System.Configuration;
Step 9:-
discussion of classes, objects, constructor, reference id in C# in SQL
INJECTION
SqlDataAdapter:
- DataAdapter is
a Command object that retrieves data from the data source
Main kepoints to be used in DataAdapter:-
o
It uses the
disconnected approach
o
In DataAdapter, you can
execute more than one SQL query at a time
DataSet:
- The ADO.NET DataSet class contains the collection of table, which maintains the data after executing the SQL query in Database. It is an
intermediate data which neither represents on presentation layer nor in the
Database layer.
ConnectionString:
- It’s used to define the connection of Database with website through
maintaining the configuration of Database from Server side
ConfigurationManager:
- This class is responsible for taking care of connection. In simpler form you
can say that this class check the configuration of the connection at run time
being passed by web config file
Step 10:- Developer
Develop the code of SQL INJECTION
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Configuration;
using System.Data;
using System.Data.SqlClient;
public partial class _Default : System.Web.UI.Page
{
protected void
Page_Load(object sender, EventArgs e)
{
}
protected void
Button1_Click(object sender, EventArgs e)
{
String st = "select * from tbuser where uname='" +
TextBox1.Text + "' AND pwd='" + TextBox2.Text + "'";
SqlDataAdapter adp = new SqlDataAdapter(st,
ConfigurationManager.ConnectionStrings["cn"].ConnectionString);
DataSet ds = new
DataSet();
adp.Fill(ds);
if
(ds.Tables[0].Rows.Count == 0)
{
Response.Write("wrong user/pwd");
}
else
{
Response.Write("default2.aspx");
}
}
Step 11:- In the best
case, you will enter the username and password from the user input and after
authenticate the username and password you will get the result. There is no
problem at all
- As you know there is no input validation, Dynamic construction of SQL
statements without the use of type-safe parameters can be done easily. It
may enhance the chances of SQL INJECTION attacks
Step 12: - SQL injection is a technique where malicious users can inject
SQL commands into an SQL statement, via web page input. Injected SQL commands
can alter SQL statement and compromise the security of a web application.
Injected SQL commands can alter SQL statement and compromise the security of a
web application.
SQL Injection Based on ‘1’=’1’
is Always True
A
smart hacker might get access to user names and passwords in a database by
simply inserting 1’ or ‘1’=’1 into the user name or password text box:
select * from tbuser where uname='abc' or
'1'='1' AND pwd='123' or '1'='1';
The result SQL is valid. It will return
all rows from the table tbuser, since WHERE ’1’=’1’ is always true.
You can Bypass the authentication and
access the website without credentials
No comments:
Post a Comment