Dear All,
I am always curios about hacking not in destructive manner but how to prevent my sites from hacking.
So one of the thing which I want to share with you is “SQL Injection “. SQL Injection is a unique way by which you can play with database of the site.
Firstly I give you a brief introduction about SQL injection and then I will provide you information how to prevent your site by SQL injection.
So SQL injections are just like SQL statements or we can say combination of SQL statements which can be used as destructive manner by hackers.
And you cannot believe how SQL Server is powerful. With the help of” xp_cmdShell “command then end user (hacker) can crash your server too. With the help of “xp_cmdShell” you can do many things like delete file, delete dir, shutdown even format too.
So first let me show you basic example
Suppose you have login screen
on which you have done following code to validate user on
protected void btnLogin_Click(object sender, EventArgs e)
{
String connectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
SqlConnection sqlcon = new SqlConnection(connectionString);
SqlCommand sqlcmd = new SqlCommand();
sqlcmd.CommandText = “SELECT * FROM tblUser WHERE strUserName =’” + txtUserName.Text + “‘ AND strPassword =’” + txtPassword.Text + “‘”;
sqlcmd.CommandType = CommandType.Text;
sqlcmd.Connection = sqlcon;
SqlDataAdapter sda = new SqlDataAdapter();
sda.SelectCommand = sqlcmd;
DataSet ds = new DataSet();
sda.Fill(ds);
if (ds.Tables[0].Rows.Count > 0)
{
Response.Write(“Valid user”);
}else{
Response.Write(“Invalid user”);
}
}
Now if you see here we have directly used txtUserName, and txtPassword value here.
Now if end user enters following value as shown your screen.
Now put break point on your sqlcommand statement and see what value going on.
You will find following SQL command.
SELECT * FROM tblUser WHERE strUserName =’Rajat’ OR ‘1’ =’1’ AND password =’test’ OR ‘1’ =’1’
Now when you run this command in your SQL Browser you will be surprised that it returns all the Records. So this is power of SQL injection with just “OR “statement.
Now if you have aware of SQL Server than you understand “;” (semicolon) & — (dash dash) means.
“;” semicolon means current statement is completed and — (dash dash) means comment.
So suppose, if I enter semicolon combination with update command on my username password screen then what happen
SELECT * FROM tblUser WHERE strUserName =’RAJAT’ OR ‘1’=’1’ ; update tblUser set password =’’; –
Other than this a hacker can user various combination like this.
Now question came in your mind how to prevent this.
So here are the basic things by which you can prevent your site by SQL injections
1) Apply check for special character on login form textbox
2) Use storedprocedures
3) Use encrypted password
I hope you will be more secure programmer now so enjoy secure sites.
In future i will provide you how a hacker can hack your site and how can you prevent your site.
Thanks
Rajat Jaiswal
