dotnetwarriors.com

Preventing SQL Injection Attacks using Parameterized Queries in SQL and ASP.NET

In this Article i will Explain how to Prevent SQL Injection using Parameterized Query in SQL Server.

In Previous Article I Explained SQL Injection Attack and Prevention Techniques and now i will Explain how to Prevent SQL Injection using Parameterized Query in SQL Server using a simple Example.

 

Parameterized Queries:

Parameterized Queries are those in which values are passed using SQL Parameters to protect the database from SQL Injection.

 

Lets Understand the Parameterized Sql Queries using a simple project with login and home page and a Sql table users(used to authenticate the user):

First of all design a simple Login Page as shown below image: 

Preventing SQL Injection Attacks using Parameterized Queries in SQL and ASP.NET

 

.aspx code:

 

 <div><h1> Test Sql Injection</h1></div><br />
<div><b>UserName: </b><asp:TextBox ID="TextBox1" runat="server"></asp:TextBox></div>
<div><b>Password: </b><asp:TextBox ID="TextBox2" runat="server" TextMode="Password"></asp:TextBox></div>
<div><b></b><asp:Button ID="btn1" runat="server" Text="Login" OnClick="btn1_Click" /></div>
    
<div> <asp:Label ID="Label1" runat="server" ForeColor="#990000"></asp:Label> </div>
Namespaces:
You will have to inherit the following namespaces –
 
using System.Data.SqlClient;
 
 
 
C# Code:
SqlConnection con = new SqlConnection("Data Source=hello\\SQLEXPRESS;Initial Catalog=aspdotnetcorner;Integrated Security=True");
  
 protected void Page_Load(object sender, EventArgs e)
  {
  }
  protected void btn1_Click(object sender, EventArgs e)
  {
      SqlCommand cmd = new SqlCommand("select * from users where email=@a and password=@b", con);
      cmd.Parameters.AddWithValue("@a", TextBox1.Text);
      cmd.Parameters.AddWithValue("@b", TextBox2.Text);
      con.Open();
      SqlDataReader dr = cmd.ExecuteReader();
      if (dr.Read())
      {
          con.Close();
          Response.Redirect("home.aspx");
      }
      else
      {
          Label1.Text = "Username or Password is Incorrect.";
      }
  }

In above code we used the Parameterized Query. You will notice that the @a and @b which are the parameters for the query.

cmd.Parameters.AddWithValue("@a", TextBox1.Text);
cmd.Parameters.AddWithValue("@b", TextBox2.Text);

The statement assigns the value of TextBox1 to the parameter @a and TextBox2 to the parameter @b

 

Now Run the code with Ctrl+F5 or F5

 

Try SQL Injection Attack on Example Login Page by putting some Sql Code to make the query true.

So write  1 ‘or’ 1 ‘=’ 1  in both the Login TextBox in this Example then it will show you Error “Username or Password is Incorrect“ as shown in below images:

Its means Unauthorized Users are not able to get access to home page by using SQL Injection Attack.

 

Preventing SQL Injection Attacks using Parameterized Queries in SQL and ASP.NET

Preventing SQL Injection Attacks using Parameterized Queries in SQL and ASP.NET

 

 





Share This Article :

Comments

user

kamal saini

nice...


Add Comment


 
Security Code :
6 + 9 =