Reputation: 321
How do I prevent MySQL Database Injection Attacks using vb.net?
I am using vb.net in Visual Basic 2010 and using Query to edit my Online MySQL Database from the application (WinForms).
Here is a sample to insert a new user into the database:
MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
READER = COMMAND.ExecuteReader
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()
How to Prevent MySQL Database Injection Attacks?
--------------------------------------------------------------------------------
Is this Parameterized way also ideal for these sets of code?
Set 1:
Dim SQLReq As String = "UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
submitRequest(SQLReq)
Set 2
MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member='" & My.Settings.username & "'"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()
Set 3
MySQLCon.Open()
Dim Query As String
Query = "SELECT member FROM members"
command = New MySqlCommand(Query, MySQLCon)
SDA.SelectCommand = command
SDA.Fill(dbDataSet)
bSource.DataSource = dbDataSet
vagueMembers.DataSource = bSource
SDA.Update(dbDataSet)
MySQLCon.Close()
MySQLCon.Dispose()
This is an edit for @Fred
Set 1 is now:
MySQLCon.Open()
Dim SQLADD As String = "UPDATE members SET req= @request WHERE member= @memberName"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@request", request)
COMMAND.Parameters.AddWithValue("@memberName", My.Settings.username)
COMMAND.ExecuteNonQuery()
MySQLCon.Close()
MySQLCon.Dispose()
Set 2 is now:
MySQLCon.Open()
Dim SQLID As String = "SELECT * FROM members WHERE member= @member"
COMMAND = New MySqlCommand(SQLID, MySQLCon)
COMMAND.Parameters.AddWithValue("@member", My.Settings.username)
COMMAND.ExecuteNonQuery()
READER = COMMAND.ExecuteReader()
While READER.Read
xboxGamertag.Value2 = READER.GetString("gamertag")
vagueRole.Value2 = READER.GetString("role")
vagueID.Value2 = READER.GetInt32("id")
End While
MySQLCon.Close()
MySQLCon.Dispose()
Set 3 is now:
Same as usual cause you said it should be fine.
Are these correct? Protected from Injections?
Upvotes: 2
Views: 2009
Answers (3)
Reputation: 5808
MySQLCon.Open()
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@memberToAdd, @memberGamingTag, @memberRole)"
COMMAND = New MySqlCommand(SQLADD, MySQLCon)
COMMAND.Parameters.AddWithValue("@memberToAdd", memberToAdd.Text)
COMMAND.Parameters.AddWithValue("@memberGamingTag", membersGamertag.Text)
COMMAND.Parameters.AddWithValue("@memberRole", membersRole.Text)
COMMAND.ExecuteNonQuery()
memberToAdd.Text = ""
membersGamertag.Text = ""
membersRole.Text = ""
MySQLCon.Close()
MySQLCon.Dispose()
You don't need to use COMMAND.ExecuteReader as you are not retrieving data.
You should never build your queries like this:
UPDATE members SET req= '" & request & "' WHERE member= '" & My.Settings.username & "'"
It is vunerable to SQL Injection, you should parameterize your queries as I have in the example above. This applies to any query be it INSERT, UPDATE, SELECT
Upvotes: 2
Reputation: 27322
Instead of concatenating your SQL statement like this:
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES('" & memberToAdd.Text & "','" & membersGamertag.Text & "','" & membersRole.Text & "')"
You specify each parameter using an @ prefix like this without any quotes:
Dim SQLADD As String = "INSERT INTO members(member,gamertag,role) VALUES(@member, @gamertag, @role)"
Then you specify the values for each parameter like this using the correct variable type for the data type in your database:
command.Parameters.AddWithValue("@member", member)
command.Parameters.AddWithValue("@gamertag", gamertag)
command.Parameters.AddWithValue("@role", role)
Your example edit is not a parameterised query. You should never concatenate your SQL string with variables.
Upvotes: 1
Reputation: 9
You should put the insert query at the Stored Procedure.
conn.Open();
cmd.Connection = conn;
cmd.CommandText = "add_mem";
cmd.CommandType = CommandType.StoredProcedure;
cmd.Parameters.AddWithValue("@member", "Jones");
cmd.Parameters["@lname"].Direction = ParameterDirection.Input;
cmd.Parameters.AddWithValue("@gamertag", "Tom");
cmd.Parameters["@fname"].Direction = ParameterDirection.Input;
cmd.Parameters.AddWithValue("@role", "1940-06-07");
cmd.Parameters["@bday"].Direction = ParameterDirection.Input;
cmd.Parameters["@empno"].Direction = ParameterDirection.Output;
cmd.ExecuteNonQuery();
Upvotes: -1
Related Questions
- How to prevent SQL Injection in this code?
- Prevent injection in queries with execute
- prevent sql injection
- Preventing SQL Injection in ASP.Net
- Solving the problem of SQLinjection
- How to prevent SQL injection attack on a text box?
- SQL Injection Prevention
- SQL Injection Prevention in .NET
- This code for preventing MySQL injection is good?
- Database injection prevention c#