The sensitive information in database of an organization can be stolen through sql injection attack by hackers. These attacks are often referred to as front end attack which takes place due to inappropriate coding. In these attacks SQL commands using sql statements are inserted in the code by hackers.
These attacks takes place as database can be queried directly through the fields which are available for user inputs These user input fields allows sql statements to easily pass through.
insert into tblemployee(employeeName,employeepwd,address)values('deepak','123456','Delhi');
insert into tblemployee(employeeName,employeepwd,address)values('vaibhav','123456','Noida');
insert into tblemployee(employeeName,employeepwd,address)values('suraj','123456','Gurgaon');
insert into tblemployee(employeeName,employeepwd,address)values('arnesh','123456','Delhi');
In Asp.net two textboxes are defined one for employeename and other for employee password in order to check user credentials.
The following query string is to be executed in Asp.net :-
"SELECT * FROM tblemployee WHERE employeeName = '"+ txtEmployeeName.text +"' and employeepwd = '"+ txtPwd.text +"'";
Now for injection attack hacker will pass following input to textboxes :-
"SELECT * FROM tblemployee WHERE employeeName = ';Drop table tblemployee --' and employeepwd = '12345678'";
In above querystring txtEmployeeName.text is ;Drop table tblemployee -- and txtPwd.text is 12345678.
A soon as semicolon is encountered in above querystring it will break the current sql statement.
SELECT * FROM tblemployee WHERE employeeName = '' becomes one statement whereas statement after ; Drop table tblemployee becomes another statement leading to droping of table tblemployee from database and database becomes unmanageable.
Solution for SQL Injection Attack
SQL statement should be build using SqlParameter for defining the Parameter Name, type, and value instead of defining a straight command.
CommandType should be specified as Text or Stored Procedure in asp.net query.
If stored procedure are being used, sp_executesql command should be used instead of Exec command.
Another solution to stop SQL injection attack is filtering of the user input for SQL characters. A single apostrophe can be replaced with additional apostrophe using REPLACE function. Two consecutive single quotation marks are treated as an apostrophe character instance within the string.