Wednesday, October 13, 2010

Hack SQL Injection with prevention (Secure your web site )

Dear All,
I am always curios about hacking not in destructive manner but how to prevent my sites from hacking.
So one of the thing which I want to share with you is “SQL Injection “. SQL Injection is a unique way by which you can play with database of the site.
Firstly I give you a brief introduction about SQL injection and then I will provide you information how to prevent your site by SQL injection.
So SQL injections are just like SQL statements or we can say combination of SQL statements which can be used as destructive manner by hackers.
And you cannot believe how SQL Server is powerful. With the help of” xp_cmdShell “command then end user (hacker) can crash your server too. With the help of “xp_cmdShell” you can do many things like delete file, delete dir, shutdown even format too.
So first let me show you basic example
Suppose you have login screen

on which you have done following code to validate user on
protected void btnLogin_Click(object sender, EventArgs e)
{
String connectionString = ConfigurationManager.ConnectionStrings["ConnectionString"].ConnectionString;
SqlConnection sqlcon = new SqlConnection(connectionString);
SqlCommand sqlcmd = new SqlCommand();
sqlcmd.CommandText = “SELECT * FROM tblUser WHERE strUserName =’” + txtUserName.Text + “‘ AND strPassword =’” + txtPassword.Text + “‘”;
sqlcmd.CommandType = CommandType.Text;
sqlcmd.Connection = sqlcon;
SqlDataAdapter sda = new SqlDataAdapter();
sda.SelectCommand = sqlcmd;
DataSet ds = new DataSet();
sda.Fill(ds);
if (ds.Tables[0].Rows.Count > 0)
{
Response.Write(“Valid user”);
}else{
Response.Write(“Invalid user”);
}
}

Now if you see here we have directly used txtUserName, and txtPassword value here.

Now if end user enters following value as shown your screen.

Now put break point on your sqlcommand statement and see what value going on.
You will find following SQL command.
SELECT * FROM tblUser WHERE strUserName =’Rajat’ OR ‘1’ =’1’ AND password =’test’ OR ‘1’ =’1’
Now when you run this command in your SQL Browser you will be surprised that it returns all the Records. So this is power of SQL injection with just “OR “statement.


Now if you have aware of SQL Server than you understand “;” (semicolon) & — (dash dash) means.
“;” semicolon means current statement is completed and — (dash dash) means comment.
So suppose, if I enter semicolon combination with update command on my username password screen then what happen
SELECT * FROM tblUser WHERE strUserName =’RAJAT’ OR ‘1’=’1’ ; update tblUser set password =’’; –

Other than this a hacker can user various combination like this.

Now question came in your mind how to prevent this.
So here are the basic things by which you can prevent your site by SQL injections
1) Apply check for special character on login form textbox
2) Use storedprocedures
3) Use encrypted password
I hope you will be more secure programmer now so enjoy secure sites.

In future i will provide you how a hacker can hack your site and how can you prevent your site.

Thanks
Rajat Jaiswal

Stored Procedure Generator using vb.net

Dear All,
I hope you have great time. Sometimes it happens that you have lot of work load and you have to deliver within time limits on the same time you have to make your coding consistency. If I think about me then I can say I am not going to compromise at least my coding style while the work load is high. So I just got idea to write some useful programs or tools which help me in finishing work as fast as possible.
So I created different utilities which generate following things
1) SQL Server Stored Procedure Generator
2) Dot net Code Generator (Three tire architecture using typed Dataset)
3) Dot net Code Generator ( Three tire architecture using Entity class)
4) PHP Code generator

In future I am interested in WCF & WPF & Silverlight code generator according to my coding style.
In this post I am giving SQL server Stored Procedure Code. It is basically a web application and you have to setup this web application and it will work as per your need.
Here is some screenshots take a look




You can download code from

http://cid-1eda2012469ff8ad.office.live.com/browse.aspx/.Public/StoredProcedureCodeGenerator

In Next post I will share dot net code generator till than b bye.

Thanks
Rajat Jaiswal

Three tire code Generator using VB.NET

Hello Friends,
Today I am sharing vb.net code generator. Its interface is simple same as our stored procedure code generator. (**Important I am using Microsoft Application block for Data Access Layer**)
You need to give user credential as shown in below fig.

Once the credential is successful you will get below screen.


Just select the table for which you want to generate code. Now if you want dataset as entity then just check the use dataset checkbox.
Then press Generate button.



It will generate y our windows form, Business manager class, Data Access layer class.
Just copy and paste in your project it will work fine with some minor changes.
You can download the code from below link
Download code
Enjoy coding!!
Thanks & Regards
Rajat Jaiswal