prevent sql injection

Question

naraza 0 Newbie Poster

13 Years Ago

i want to search name form table but problem is tha when some one write query it also give value by this any one can delete my data to pls tell me a way to remove sql injetcion

protected void Button2_Click1(object sender, EventArgs e)
        {



            //SqlCommand cmd = new SqlCommand("DELETE FROM student WHERE ID=id", con);
            //cmd.ExecuteNonQuery();
            SqlDataAdapter adap = new SqlDataAdapter("SELECT ID,Firstname,Lastname,Email,Username,Password from student where Firstname='" + TextBox2.Text + "'", con);
            adap.Fill(ds);
            grd_view.DataSource = ds;
            grd_view.DataBind();
            
            
            if (TextBox2.Text == "Firstname")
            {
                Response.Redirect("Default.aspx");
            }
        }

asp.net

Edited 13 Years Ago by kvprajapati because: added [code] tags.

3 Contributors
2 Replies
87 Views
1 Day Discussion Span
Latest Post 13 Years Ago Latest Post by G_Waddell

hericles 289 Master Poster

13 Years Ago

The problem lies in incorporating TextBox2.Text directly into your SQL statement. Use parametised queries to avoid the issue.

string sql = "SELECT ID,Firstname,Lastname,Email,Username,Password from student where Firstname= ?name;";
cmd.Parameters.Add("?name", MySQLDbType.Varchar);
cmd.Parameters["?name"].Value = textBox2.Text
SqlDataAdapter adap = new SqlDataAdapter(cmd);

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

G_Waddell 131 Posting Whiz in Training · Answer 1 · 2011-09-23T12:56:25+00:00

Hi
As well as using parameters, I'd limit the size of text that can be put in to the textbox. I'd also either parse the text for and characters you'd expect to see in a SQL injection attack such as the sql delimiter ";" and reject or replace them with empty characters.

Finally on the database (if you are using MS SQL server,) I would give the user you are using to connect to the database from the website no permissions on any tables at all and run all queries through stored procedures with permission to access them only. This means that even if the injection attack were to get to your database the statement would and could not be executed.