ASP.NET Security - SQL Injection

ASP.NET Security - SQL Injection


Every developer should validate web form input . Web Form input allows hacker to enter to enter malformed SQL statement so that it can fetch the unauthorized data from database , delete the tables , update the column values.

Below is SQL command which is vulnerable and prone to SQL Injection :

string strSQL = "SELECT ProductId, ProductName, " +" FROM Products" +" WHERE ProductName LIKE '" + txtSearch.Text + "'";

Hacker can enter below criteria in input text box to fetch all the products :
' Or 1=1 --

Hacker can update column value by entering below criteria in text box :
'; UPDATE Products SET UnitPrice = 0.01 WHERE ProductId = 1--

Hacker can delete table values by entering below criteria in text box :
'; DELETE FROM Products --
Hacker can also delete tables if developer is connecting using admin level account user
'; Drop Table User --
So developers should do the below to avoid SQL Injection :

  1. Developer should validate all textbox entries using validation controls, regular expressions, code.

  2. Developer should use parameterized SQL or stored procedures

  3. Developer should encrypt  passwords and other sensitive data.

  4. Developer should encrypt connection strings

  5. Developer should not use admin access account for connection to database . Developer should use limited access account to connect to the database.

  6. Developer should use custom error messages. Developer should not use display SQL error messages.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Labels

.NET Framework Interview Questions (7) .NET Interview Questions (10) .NET Remoting Interview Questions (1) ADO.NET and BLOB Error (1) ADO.NET Interview Questions (4) Agile Articles (9) AJAX Articles (5) AJAX Interview Questions (11) Algorithms (2) Analytics Articles (2) Analytics Interview Questions (3) Android FAQs - Part 1 (2) Articles (13) ASP.NET Articles (24) ASP.NET Error and Resolution (4) ASP.NET Interview Questions (23) ASP.NET Tutorial (8) AWS Interview Questions (16) Business Analyst Interview Questions (1) Cloud Computing Interview Questions (16) CSharp Articles (17) CSharp Interview Questions (32) CSharp Tutorial (17) Data Analysis (2) Data Structure (1) Design Pattern Articles (5) DevOps Tutorial (1) Digital Marketing Interview Questions (1) Download Templates (1) Error Resolution (6) Excel Articles (9) Excel Macros (1) Excel Tips and Tricks (10) HTML5 Interview Questions (3) HTML5 Tutorial (3) Interview Preparation (2) Interview Questions (24) Introduction to Business Analytics (10) Introduction to Python (7) Introduction to R Programming (23) JAVA Articles (6) Java Tutorial (5) LINQ Articles (4) LINQ Interview Questions (2) LINQ Tutorial (3) Microservices Interview Questions (1) MVCInterviewQuestions (2) OOPs Interview Questions (4) Oracle 9i Tutorial (14) Oracle Articles (2) Oracle Interview Questions (15) Outlook Error (1) PHP Interview Questions (3) PHP Tutorial (3) Product Management (12) Product Management Interview Questions (14) Product Owner Interview Questions (2) Program Management (5) Project Management (13) Project Management Articles (34) Project Management Interview Questions (25) Quiz (1) RallyDev Help (1) Scrum Master Interview Questions (11) Selenium Tutorial (1) Sharepoint Articles (1) SQL Interview Questions (23) SQL Server Articles (20) SSIS Interview Questions (6) SSRS Interview Questions (1) Technical Program Management (12) Technical Program Management - Interview Questions (24) TechnicalProgramManagement (5) Threading Interview Questions (2) Tutorial (8) UML Articles (3) UML Interview Questions (2) Unix (3) UNIX Tutorial (3) WCF Articles (20) WCF Interview Questions (9) WCF Quiz (2) WCF Tutorial (16) Web Service Articles (5) Web Service Interview Questions (3) Window Azure (1) XML Articles (6) XML Interview Questions (3) XML Tutorial (3)