dotnetwarriors.com

SQL Injection Attack and Prevention Techniques in ASP.NET

In this Article i will Explain what is Sql Injection Attack using a simple Example and how to Prevent Sql Injection in Asp.Net Websites.

SQL Injection:

Sql Injection is a technique, used to gain unauthorized access to any account without login credentials. Sql Injection is basically use to steal your data and causing harm to your system by deleting data or dropping tables.

 

Lets Understand the Sql Injection using a simple project with login and home page and a Sql table users(used to authenticate the user):

First of all design a simple Login Page as shown below image:

SQL Injection Attack and Prevention Techniques in ASP.NET

.aspx Code:

 

<div><h1> Test Sql Injection </h1></div><br />
<div><b>UserName: </b><asp:TextBox ID="TextBox1" runat="server"></asp:TextBox></div>
<div><b>Password: </b><asp:TextBox ID="TextBox2" runat="server" TextMode="Password"></asp:TextBox></div>
<div><b></b><asp:Button ID="btn1" runat="server" Text="Login" OnClick="btn1_Click" /></div>
    
<div><asp:Label ID="Label1" runat="server" ForeColor="#990000"></asp:Label></div>
Namespaces:
You will have to inherit the following namespaces –
 
using System.Data.SqlClient;

 

C# Code:

 

SqlConnection con=new SqlConnection("Data Source=hello\\SQLEXPRESS;Initial Catalog=aspdotnetcorner;Integrated Security=True");
 
 protected void Page_Load(object sender, EventArgs e)
  {
  }
  protected void btn1_Click(object sender, EventArgs e)
  {
      SqlCommand cmd=new SqlCommand("select * from users where email='"+TextBox1.Text+"' and password='"+TextBox2.Text+"'",con);
      con.Open();
      SqlDataReader dr=cmd.ExecuteReader();
      if(dr.Read())
      {
      con.Close();
      Response.Redirect("home.aspx");
      }
      else
      {
          Label1.Text="Username or Password is Incorrect.";
      }
      
  }

Now Run the code with Ctrl+F5 or F5

Enter the Login Credentials (anything) and Click on Login button then it will show you Error “Username or Password is Incorrect“. 

 

SQL Injection Attack and Prevention Techniques in ASP.NET

the above Error is occur because you don’t know the correct username or password. So to overcome this Problem we will Try SQL Injection to gain unauthorized access to system.

SQL Injection technique is use to make the Sql query true by putting some code in TextBox.

So write  1 ‘or’ 1 ‘=’ 1  in both the Login TextBox in this Example then it will Redirect you to the Home Page without any Login Credentials as shown in below images:

 

SQL Injection Attack and Prevention Techniques in ASP.NET

 

SQL Injection Attack and Prevention Techniques in ASP.NET

By using SQL Injection anyone can gain unauthorized access to your system and can delete the users data or can Drop the users table from database.

 

Prevention Techniques: 

There are some Tips and Techniques To Prevent the SQL Injection.

 

  1. Use Stored Procedures instead of simple Sql Query.
  2. Use only Parameterized Queries
  3. Allow only alphabets, digits and some special characters in Textbox. 

 





Share This Article :

Comments


Add Comment


 
Security Code :
7 + 6 =