How to avoid script database hacking?

If I get the user info from an aso.net, and based on that execute some query
against the database, how can I avoid issues like this one:

Client entered in user name text box the following: "new;delect from users"

On server side I have:

sql = "select * from users where username = " + txtUser.Text;

Thanks,
Ronen

You should always check for dodgy characters in the string and use stored
procedures with parameters.

"RA" <ron_a1@hotmail.com> wrote in message
news:%23K5QiYbvDHA.2308@TK2MSFTNGP09.phx.gbl...[color=blue]
> If I get the user info from an aso.net, and based on that execute some[/color]
query[color=blue]
> against the database, how can I avoid issues like this one:
>
> Client entered in user name text box the following: "new;delect from[/color]
users"[color=blue]
>
> On server side I have:
>
> sql = "select * from users where username = " + txtUser.Text;
>
>
> Thanks,
> Ronen
>
>[/color]

How would a store procedure help if the parameter passed to it is the input
from the text box?

"Wes Jackson" <wesjackson@hotmail.com> wrote in message
news:eDIb9fbvDHA.3224@tk2msftngp13.phx.gbl...[color=blue]
> You should always check for dodgy characters in the string and use stored
> procedures with parameters.
>
>
> "RA" <ron_a1@hotmail.com> wrote in message
> news:%23K5QiYbvDHA.2308@TK2MSFTNGP09.phx.gbl...[color=green]
> > If I get the user info from an aso.net, and based on that execute some[/color]
> query[color=green]
> > against the database, how can I avoid issues like this one:
> >
> > Client entered in user name text box the following: "new;delect from[/color]
> users"[color=green]
> >
> > On server side I have:
> >
> > sql = "select * from users where username = " + txtUser.Text;
> >
> >
> > Thanks,
> > Ronen
> >
> >[/color]
>
>[/color]

You can also Use Stored Procs

"Wes Jackson" <wesjackson@hotmail.com> wrote in message
news:eDIb9fbvDHA.3224@tk2msftngp13.phx.gbl...[color=blue]
> You should always check for dodgy characters in the string and use stored
> procedures with parameters.
>
>
> "RA" <ron_a1@hotmail.com> wrote in message
> news:%23K5QiYbvDHA.2308@TK2MSFTNGP09.phx.gbl...[color=green]
> > If I get the user info from an aso.net, and based on that execute some[/color]
> query[color=green]
> > against the database, how can I avoid issues like this one:
> >
> > Client entered in user name text box the following: "new;delect from[/color]
> users"[color=green]
> >
> > On server side I have:
> >
> > sql = "select * from users where username = " + txtUser.Text;
> >
> >
> > Thanks,
> > Ronen
> >
> >[/color]
>
>[/color]

SqlCommand cmd=new SqlCommand("select * from employees where
employeeid=@id",conn);
cmd.Parameters.Add("@id",TextBox1.Text);
cmd.Execute...

"RA" <ron_a1@hotmail.com> Ð´ÈëÓÊ¼þ
news:%23K5QiYbvDHA.2308@TK2MSFTNGP09.phx.gbl...[color=blue]
> If I get the user info from an aso.net, and based on that execute some[/color]
query[color=blue]
> against the database, how can I avoid issues like this one:
>
> Client entered in user name text box the following: "new;delect from[/color]
users"[color=blue]
>
> On server side I have:
>
> sql = "select * from users where username = " + txtUser.Text;
>
>
> Thanks,
> Ronen
>
>[/color]

"RA" <ron_a1@hotmail.com> wrote in message
news:eFbPGybvDHA.2448@TK2MSFTNGP12.phx.gbl...[color=blue]
> How would a store procedure help if the parameter passed to it is the[/color]
input[color=blue]
> from the text box?[/color]

In the stored procedure you don't build a sqlstring to execute, but supply a
parameter
as "placeholder" of the value:
select * from mytable where name = @nameparam

If you supply a value 'new;delete from users' then the table is searched
for that exact value. The "delete" part is never treated as a command.

Hans Kesting

They are also faster when executing against SQL as the code is already
compiled.

Double bonus!

"RA" <ron_a1@hotmail.com> wrote in message
news:%23K5QiYbvDHA.2308@TK2MSFTNGP09.phx.gbl...[color=blue]
> If I get the user info from an aso.net, and based on that execute some[/color]
query[color=blue]
> against the database, how can I avoid issues like this one:
>
> Client entered in user name text box the following: "new;delect from[/color]
users"[color=blue]
>
> On server side I have:
>
> sql = "select * from users where username = " + txtUser.Text;
>
>
> Thanks,
> Ronen
>
>[/color]

A Google search such as "sql code injection" will retrieve a number of
detailed papers.

In short you could :
- validate your parameters
- use parameterized queries
- use stored procedures
- others ?

Patrice

--

"RA" <ron_a1@hotmail.com> a écrit dans le message de
news:%23K5QiYbvDHA.2308@TK2MSFTNGP09.phx.gbl...[color=blue]
> If I get the user info from an aso.net, and based on that execute some[/color]
query[color=blue]
> against the database, how can I avoid issues like this one:
>
> Client entered in user name text box the following: "new;delect from[/color]
users"[color=blue]
>
> On server side I have:
>
> sql = "select * from users where username = " + txtUser.Text;
>
>
> Thanks,
> Ronen
>
>[/color]

Hi,

One thing that using an SP doesn't necessarily guard against is:

What happens if an SP parameter is Text and you pass in a comma separated
list of numbers,
which you then use in the SP like:

[some sql here - to do a temp table]

EXEC('SELECT FieldX, FieldY INTO #Temp FROM TableX WHERE TableID IN(' +
@Param + ')')

[some more sql here]

Admittedly the person doing the hack would have to know what the SP was
doing in order to
ensure proper SQL syntax, but, for example, a disgruntled employee might
know this and wreck
havoc.

For a comma separated list of numbers I got around this by using a regular
expression to ensure
that the value I would use only contained numbers, a comma or a space
anything else would be
discarded.

Regards,
Peter
"Patrice Scribe" <nobody@nowhere.com> wrote in message
news:%23kmT8W%23vDHA.1908@TK2MSFTNGP10.phx.gbl...[color=blue]
> A Google search such as "sql code injection" will retrieve a number of
> detailed papers.
>
> In short you could :
> - validate your parameters
> - use parameterized queries
> - use stored procedures
> - others ?
>
> Patrice
>
> --
>
> "RA" <ron_a1@hotmail.com> a écrit dans le message de
> news:%23K5QiYbvDHA.2308@TK2MSFTNGP09.phx.gbl...[color=green]
> > If I get the user info from an aso.net, and based on that execute some[/color]
> query[color=green]
> > against the database, how can I avoid issues like this one:
> >
> > Client entered in user name text box the following: "new;delect from[/color]
> users"[color=green]
> >
> > On server side I have:
> >
> > sql = "select * from users where username = " + txtUser.Text;
> >
> >
> > Thanks,
> > Ronen
> >
> >[/color]
>[/color]

hi! goodmorning can you send me on how to avoid computer hacking?

*** Sent via Developersdex http://www.developersdex.com ***
Don't just participate in USENET...get rewarded for it!

ASP.NET has special features to automaticly catch things like people
embedding ;DELETE FROM; and other trick SQL commands that would normally be
"hacked" on web sites

"girlie hinggo" <girlitie@yahoo.com> wrote in message
news:ezPGWhPeEHA.2848@TK2MSFTNGP10.phx.gbl...[color=blue]
>
> hi! goodmorning can you send me on how to avoid computer hacking?
>
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it![/color]

"girlie hinggo" <girlitie@yahoo.com> wrote in message
news:ezPGWhPeEHA.2848@TK2MSFTNGP10.phx.gbl...
[color=blue]
> hi! goodmorning can you send me on how to avoid computer hacking?[/color]

Make sure your computer is secure... :-)

Seriously, can you be a bit more specific...?

Turn it off.

--
;-),
Kevin Spencer
..Net Developer
Microsoft MVP
Big things are made up
of lots of little things.

"girlie hinggo" <girlitie@yahoo.com> wrote in message
news:ezPGWhPeEHA.2848@TK2MSFTNGP10.phx.gbl...[color=blue]
>
> hi! goodmorning can you send me on how to avoid computer hacking?
>
>
>
>
> *** Sent via Developersdex http://www.developersdex.com ***
> Don't just participate in USENET...get rewarded for it![/color]