SQL INJECTION EXAMPLE IN ASP.NET USING C#
In this post, I am going to explain and demonstrate, what are sql injection attacks in asp.net web form and how to prevent sql injection attacks in asp.net using c#.
SQL INJECTION
SQL injection means injection some SQL commands in SQL statements to hack your data or delete data or change your data in tables via web forms.
Here are steps how to use sql injection and prevents sql injection attacks.
Create one table tbl_Employee in your database and fill some dummy data likes given below: 
Default.aspx code.
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<style type="text/css">
.style1
{
width: 100%;
}
.style2
{
width: 184px;
}
</style>
</head>
<body>
<form id="form1" runat="server">
<div>
<h2><b>SQL Injection Examples</b></h2>
</div><br />
<div>
<table class="style1">
<tr>
<td class="style2">
Enter Employee Code</td>
<td>
<asp:TextBox ID="txtEmpCode" runat="server"></asp:TextBox>
</td>
</tr>
<tr>
<td class="style2">
</td>
<td>
<asp:Button ID="BtnSearch" runat="server" Text="Search" />
</td>
</tr>
<tr>
<td class="style2">
</td>
<td>
<asp:GridView ID="GridView1" runat="server">
</asp:GridView>
</td>
</tr>
</table>
</div>
</form>
</body>
</html>
After compilation of aspx page write this following code in .cs page
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Data;
using System.Data.SqlClient;
public partial class _Default : System.Web.UI.Page
{
string ConnectionString = "Data Source=MYPC;Initial Catalog=Test;User ID=sa;Password=abc";
SqlConnection con;
protected void Page_Load(object sender, EventArgs e)
{
con = new SqlConnection(ConnectionString);
}
protected void BtnSearch_Click(object sender, EventArgs e)
{
try
{
if (con.State == ConnectionState.Closed)
{
con.Open();
}
using(SqlDataAdapter adpt=new SqlDataAdapter("SELECT * FROM tbl_Employee WHERE EmpCode="+txtEmpCode.Text+"",con))
{
DataTable dt = new DataTable();
adpt.Fill(dt);
if (dt.Rows.Count > 0)
{
GridView1.DataSource = dt;
GridView1.DataBind();
}
}
}
catch
{
throw;
}
finally
{
con.Close();
}
}
}
Now, run the above code we will get output,
It returns all rows from tables because our text box input values convert query like below:
SELECT * FROM tbl_Employee WHERE EmpCode=101 OR 1=1. It will check for values=101 as well as it will check for 1=1 means always true condition then return all rows present in table.
Do you want to prevent sql inject then always write parameterized query. Like given below.
protected void BtnSearch_Click(object sender, EventArgs e)
{
try
{
if (con.State == ConnectionState.Closed)
{
con.Open();
}
using (SqlCommand cmd = new SqlCommand("SELECT * FROM tbl_Employee WHERE EmpCode=@EmpCode", con))
{
cmd.Parameters.Add("@EmpCode", SqlDbType.Int).Value = txtEmpCode.Text;
cmd.ExecuteNonQuery();
SqlDataAdapter adpt = new SqlDataAdapter(cmd);
DataTable dt = new DataTable();
adpt.Fill(dt);
if (dt.Rows.Count > 0)
{
GridView1.DataSource = dt;
GridView1.DataBind();
}
}
}
catch
{
throw;
}
finally
{
con.Close();
}
}
Download Source Code : Click Here
Written by: Ravi Kumar Soni
No comments:
Post a Comment