Preventing SQL injection in SQL Server 2008

Questions about programming languages and debugging
Post Reply
User avatar
z3r0aCc3Ss
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 700
Joined: 23 Jun 2009, 16:00
14
Contact:
Contact z3r0aCc3Ss

Preventing SQL injection in SQL Server 2008

Post by z3r0aCc3Ss »

This is my login code.

Code: Select all

private void btnLogin_Click(object sender, EventArgs e)
        {
            try
            {
                if (login_check(txtUsername.Text.ToString(), MD5Hash(txtPassword.Text).ToString()) > 0)

                    MessageBox.Show("Login Sucessful!", "Success", MessageBoxButtons.OK, MessageBoxIcon.Information);
                else
                {
                    MessageBox.Show("Invalid Username or Password!", "Login Failed", MessageBoxButtons.OK, MessageBoxIcon.Error);
                    txtUsername.Clear();
                    txtPassword.Clear();
                    txtUsername.Focus();
                }
            }
            catch (Exception ex)
            {
                MessageBox.Show(ex.Message);
            }
        }


        private int login_check(string username, string password)
        {
            username.Trim();
            password.Trim();

            if (conn.State == ConnectionState.Closed)
                conn.Open();

            string login = "SELECT * FROM db_login WHERE username = '" + username + "' and password = '" + password + "'";

            comm = new SqlCommand(login, conn);

            if (comm.ExecuteScalar() != null)
                return 1;
            else
                return 0;
        }
When I insert this basic SQL injection query in the textbox fields, my code is allowing me the access to the entire DB.

Code: Select all

' or '1'='1' -- '
Can anyone fix the above code and give me the correct code?
I have heard that if you use SqlParameters, SQL injection can be prevented.



EDIT:
One way I can prevent this is by using textbox validation which will allow only alphabets to be entered (for example, on keypress event). What other strategy can be applied?
Beta tester for major RATs, all kinds of stealers and keyloggers.
Learning NMAP
Top
User avatar
ayu
Staff
Staff
Posts: 8109
Joined: 27 Aug 2005, 16:00
18
Contact:
Contact ayu

Re: Preventing SQL injection in SQL Server 2008

Post by ayu »

By using placeholders you could protect against SQL injections

This code

Code: Select all

string login = "SELECT * FROM db_login WHERE username = '" + username + "' and password = '" + password + "'";

comm = new SqlCommand(login, conn);
Could be changed to

Code: Select all

string login = "SELECT * FROM db_login WHERE username = @USERNAME AND password = @PASSWORD";

comm = new SqlCommand(login, conn);

command.Parameters.Add(new SqlParameter("USERNAME", username));
command.Parameters.Add(new SqlParameter("PASSWORD", password));
Adding the parameters like this will render all injections useless :)

Read more about it here

Code: Select all

http://www.dotnetperls.com/sqlparameter
"The best place to hide a tree, is in a forest"
Top
User avatar
z3r0aCc3Ss
Fame ! Where are the chicks?!
Fame ! Where are the chicks?!
Posts: 700
Joined: 23 Jun 2009, 16:00
14
Contact:
Contact z3r0aCc3Ss

Re: Preventing SQL injection in SQL Server 2008

Post by z3r0aCc3Ss »

Yeah, nice. :)
Thanks, :D
Beta tester for major RATs, all kinds of stealers and keyloggers.
Learning NMAP
Top
bubzuru
.net coder
.net coder
Posts: 700
Joined: 17 Apr 2007, 16:00
17
Contact:
Contact bubzuru

Re: Preventing SQL injection in SQL Server 2008

Post by bubzuru »

nice to know, thanx for the info

would up your karma if i could, you get +1 in my mind anyways
[img]http://www.slackware.com/~msimons/slackware/grfx/shared/greymtlSW.jpg[/img]
Top
Post Reply

Return to “Coding”