Visual Studio .NET - security issue abt sql injection

Asked By Raja yashwanth Reddy Gunda on 19-Jan-06 04:21 AM
about this sql injection 

iam secring userid and password in the following manners

one is using parameters,i used to login

and the other is

iam just writing query like 

select * from emp;

after this iam checking the values like this


if(textbox1.text=dr(0) and textbox2.text=dr(1)) then
response.write("Invalid user")

apart from these two ways any other ways to secured login(i.e while login the values shouldn't be injected)

help in this

SQL Injection - Asked By Jon Wojtowicz on 19-Jan-06 06:10 AM

can occur if you build your queries using string concatenation.
string sql = "select userId from users where username='" + username.Text + "' and password='" + password.Text + "'"

In this case someone could simply type in something like the following
username.Text     ' and 1=1 --
password.Text      hello
When this is concatenated with the query it becomes
"select userId from users where username='' and 1=1 --' and password='hello'
If you excute this against SQL Server the where clause wll always be true and it will return the entire users table.

To prevent this parameterized queries should be used
string sql = "select userId from users where username=@userName and password=@password"

This can also be placed in a stored procedure for additional security.

I have a little something that might help - Asked By Erik Little on 19-Jan-06 03:52 PM

you... if you would like to just use a helper class and add this to it..

My application spends alot of time talking to sql2000 and 80% of the users time on my site will be uploading and downloading information.. This is one of the many functions that i have in a helper class...
***Notice this section... you may do pretty much what ever you would like in order to best sute your needs..

If InStr(StrCheck, ";") > 0 Then

  Private Function CharterCheck(ByVal SqlSneakySaftey() As String) As Boolean
        For i As Int32 = 0 To SqlSneakySaftey.Length - 1

            Dim StrCheck As String = ""
            StrCheck = SqlSneakySaftey(i)
            If InStr(StrCheck, ";") > 0 Then
                'Inform the user that the they may not use the ";" charter
                ctx.Current.Session("TravelNotes") = "You May Not Use the" & " " & "<font color=#ff0066><b>;</b></font>" & " " & "Charter!"
                Return False
            End If

        Next i
        Return True
    End Function