SQL INJECTION EXAMPLE IN ASP.NET USING C#
In this post, I am going to explain and demonstrate, what
are sql injection attacks in asp.net web form and how to prevent sql injection
attacks in asp.net using c#.
SQL INJECTION
SQL
injection means injection some SQL commands in SQL statements to hack your data
or delete data or change your data in tables via web forms.
Here are steps how to use sql injection and prevents sql
injection attacks.
Create one table tbl_Employee
in your database and fill some dummy data
likes given below: 
Default.aspx code.
<%@ Page
Language="C#"
AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD
XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<style type="text/css">
.style1
{
width: 100%;
}
.style2
{
width: 184px;
}
</style>
</head>
<body>
<form id="form1" runat="server">
<div>
<h2><b>SQL Injection Examples</b></h2>
</div><br />
<div>
<table class="style1">
<tr>
<td
class="style2">
Enter Employee Code</td>
<td>
<asp:TextBox ID="txtEmpCode"
runat="server"></asp:TextBox>
</td>
</tr>
<tr>
<td
class="style2">
</td>
<td>
<asp:Button ID="BtnSearch"
runat="server"
Text="Search"
/>
</td>
</tr>
<tr>
<td
class="style2">
</td>
<td>
<asp:GridView ID="GridView1"
runat="server">
</asp:GridView>
</td>
</tr>
</table>
</div>
</form>
</body>
</html>
After
compilation of aspx page write this following code in .cs page
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;
public partial class _Default :
System.Web.UI.Page
{
string ConnectionString = "Data
Source=MYPC;Initial Catalog=Test;User ID=sa;Password=abc";
SqlConnection con;
protected void
Page_Load(object sender, EventArgs e)
{
con =
new SqlConnection(ConnectionString);
}
protected void
BtnSearch_Click(object sender, EventArgs e)
{
try
{
if (con.State == ConnectionState.Closed)
{
con.Open();
}
using(SqlDataAdapter
adpt=new SqlDataAdapter("SELECT * FROM tbl_Employee WHERE EmpCode="+txtEmpCode.Text+"",con))
{
DataTable dt = new DataTable();
adpt.Fill(dt);
if (dt.Rows.Count > 0)
{
GridView1.DataSource = dt;
GridView1.DataBind();
}
}
}
catch
{
throw;
}
finally
{
con.Close();
}
}
}
Now,
run the above code we will get output,
It
returns all rows from tables because our text box input values convert query
like below:
SELECT
* FROM tbl_Employee WHERE EmpCode=101 OR 1=1. It will check for values=101 as
well as it will check for 1=1 means always true condition then return all rows
present in table.
Do
you want to prevent sql inject then always write parameterized query. Like given below.
protected void
BtnSearch_Click(object sender, EventArgs e)
{
try
{
if (con.State == ConnectionState.Closed)
{
con.Open();
}
using (SqlCommand
cmd = new SqlCommand("SELECT * FROM tbl_Employee WHERE
EmpCode=@EmpCode", con))
{
cmd.Parameters.Add("@EmpCode",
SqlDbType.Int).Value = txtEmpCode.Text;
cmd.ExecuteNonQuery();
SqlDataAdapter adpt = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
adpt.Fill(dt);
if (dt.Rows.Count > 0)
{
GridView1.DataSource = dt;
GridView1.DataBind();
}
}
}
catch
{
throw;
}
finally
{
con.Close();
}
}
Download Source Code : Click Here
Written by: Ravi Kumar Soni
Nice Code Ravi,Its help Full
ReplyDelete