Reputation: 9081
Avoiding an Sql injection attack
I have an asp.net application. In which i have this code:
using (Data.connexion)
{
string queryString = @"select id_user , nom, prenom, mail, login, mdp, last_visite, id_group, id_user_status from USERS where login =@login and mdp=@mdp";
SqlCommand command = new SqlCommand(queryString, Data.connexion);
command.Parameters.AddWithValue("@login", _login);
command.Parameters.AddWithValue("@mdp", _password.GetHashCode().ToString());
try
{
SqlDataReader reader = command.ExecuteReader();
do
{
while (reader.Read())
{
return View("Success");
}
} while (reader.NextResult());
}
catch { }
}
When i try a Sql injection attack using this login '' or 1=1 -- , the attack is failed. but if i change the snippet by this one :
using (Data.connexion)
{
string queryString = @"select id_user , nom, prenom, mail, login, mdp, last_visite, id_group, id_user_status from USERS where login =" + _login + " and mdp=" + _password.GetHashCode().ToString();
SqlCommand command = new SqlCommand(queryString, Data.connexion);
// command.Parameters.AddWithValue("@login", _login);
// command.Parameters.AddWithValue("@mdp", _password.GetHashCode().ToString());
try
{
SqlDataReader reader = command.ExecuteReader();
do
{
while (reader.Read())
{
return View("Success");
}
} while (reader.NextResult());
}
catch { }
}
I'm redirected to the view success so the attack is succed.
What is the difference between the two ways of coding? What are the best ways to prevent and avoid an Sql injection attack?
Upvotes: 1
Views: 1371
Answers (2)
Reputation: 700720
The best way to protect against SQL injection is to use parameterised queries.
You can make it as safe when concatenating values into a string, but you have to do it exactly right, and the exact method differs between database brands.
For SQL Server, you would encode the string values by doubling any apostrophes in the string. That way any apostrophes would be interpreted correctly by the database, and it would not be possible to use apostrophes to break out of the string:
string queryString = "select id_user, nom, prenom, mail, login, mdp, last_visite, id_group, id_user_status from USERS where login = '" + _login.Replace("'","''") + "' and mdp = '" + _password.GetHashCode().ToString().Replace("'","''") + "'";
But, it's still easier to use parameterised queries, then the database driver does this for you. If you try to handle the encoding yourself, and doesn't get it right, then you are in a worse place, because you think that the problem is handled but it can be wide open to SQL injection attacks.
Side note: The String.GetHashCode method is not suited for things like hashing passwords. The implementation of the method can change in the future (as it has in the past), which would make all hashed passwords in the database useless.
"Do not serialize hash code values or store them in databases." -- http://msdn.microsoft.com/en-us/library/system.string.gethashcode.aspx
Upvotes: 3
Reputation: 1150
Always use command parameters to avoid sql injection. Sql injections are handled by Command Parameter automatically. You don't need to worry about sql injection if you use command parameters.
When you don't use command parameters, the parameters' values are simply inserted in sql query without handling sql injection. But when you use command parameters, ADO.Net handles sql injection for you.
Upvotes: 2
Related Questions
- How do I prevent malicious SQL injection attacks while allowing benign SQL injection?
- How can I avoid SQL injection attacks in my ASP.NET application?
- SQL Injection cshtml
- sql injection attacks
- Control SQL injection in MVC
- asp.net MVC prevent sql injection
- MVC 4 SQL string injection Security
- How to avoid SQL injection
- How to handle sql injection from asp.net
- how to prevent SQL Injection in a asp.net website