Click here to Skip to main content
15,907,326 members
Search within:


sql injection in my website which effect my database data... please help me to short out the problem
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
ASP.NET
SQL
my website is on asp.net and there is problem that any one inject the sql injection on regular basis i not getting from which place he use to inject these script. and it effect my database and web site design also. i validate some of input boxes to restrict the script.
so i need a solution which restrict to interring script in my database some logic which monitor all data which is inserting in database help me out for the same .
thanks in advance.
Posted
Add a Solution

3 solutions

Simple: use parameterized queries at all times:
C#
using (SqlConnection con = new SqlConnection(strConnect))
    {
    con.Open();
    using (SqlCommand com = new SqlCommand("INSERT INTO myTable (myColumn1, myColumn2) VALUES (@C1, @C2)", con))
        {
        com.Parameters.AddWithValue("@C1", myValueForColumn1);
        com.Parameters.AddWithValue("@C2", myValueForColumn2);
        com.ExecuteNonQuery();
        }
    }
Or:
VB
Using con As New SqlConnection(strConnect)
    con.Open()
    Using com As New SqlCommand("INSERT INTO myTable (myColumn1, myColumn2) VALUES (@C1, @C2)", con)
        com.Parameters.AddWithValue("@C1", myValueForColumn1)
        com.Parameters.AddWithValue("@C2", myValueForColumn2)
        com.ExecuteNonQuery()
    End Using
End Using

You must also do this for UPDATE, SELECT and suchlike queries.

If you concatenate strings to form an SQL query, you are always wide open to SQL injection.
 
Share this answer
 
Posted
Comments
Thanks7872 22-May-13 4:42am    
↑voted..!
some tips to avoid sql injection...

do not use dynamic sql
use storeprocedures
do not pass data using Query string

Happy Coding!
:)
 
Share this answer
 
Posted
Comments
[no name] 22-May-13 4:22am    
Thanks!!! these tips will follow in next projects but right now i need a logic to monitor data which going in database and restrict the script. or is there any logic by which i get from where he use to inject.
Shanalal Kasim 22-May-13 4:27am    
Are using dynamic sql in your current project?
[no name] 22-May-13 5:37am    
no i am using parameterized form of sql.
Aarti Meswania 22-May-13 6:02am    
do you write code like below...?
"Insert into tbl (col1,col2) values('" + txtbox1.text + "','" + textbox2.text + "')"
[no name] 29-May-13 1:25am    
no!
insert into tbl(col1,col2)values(@col1,@col2);
Database secutity is very crucial part in any project.The above two answers can be considered as key points.Further refer to below links to get help overcome this issue.

SQL Injection Attacks and Some Tips on How to Prevent Them[^]

How To: Protect From SQL Injection in ASP.NET[^]

Understanding SQL Injection and Creating SQL Injection Proof ASP.NET Applications[^]

Preventing SQL Injection in ADO.NET[^]
 
Share this answer
 
Posted
Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
problem with sql injection
SQL Injection
Need Help with Form Data to SQL Injection
I have problem with insert my data to database , please help
Check for sql injection
Sql Injection Errors
Problem inserting into database
Sql Injection -Security Threat
Remove duplicates form shorted shorted array
PLEASE HELP SQL Problems - Data with Single Quote then Comma

Advertise
Privacy
Cookies
Terms of Use
Last Updated 22 May 2013
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web01 2.8:2024-05-28:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900