Quantcast
Channel: Programming – Rey Rahadian
Viewing all articles
Browse latest Browse all 31

What is SQL Injection ?

$
0
0

It’s a technique which is used to attack a software, be it a desktop application or a website as long as it uses a database server behind it. It is done by inputting a malicious input in attempt to get a dangerous query to run.

Example:

select * from Products where ProductName = 'Car'

This will get all products where the product name is Car

Imagine the Car value is retrieved from an input text on a form somewhere, what would happen if we input something like this.

select * from Products where ProductName = ''; delete from Products –''

This query will delete –assuming the running user has access- all data from our products table. which is clearly not good.

Issues like this are commonly happens on code that concatenates string to form query

What should we do ?

  • Do not concatenates string to form a query
  • Use a parameterized query to execute query, ORM tools such as EF uses parameterized query
  • Turn on custom error page on production to avoid giving crucial information to malicious users
  • Give the running user appropriate permissions, do not give access to modify table or creating new record in table if you only want a read only operation


Viewing all articles
Browse latest Browse all 31

Trending Articles