|
database
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
sql injection questionCould Textbox1.text or textbox2.text be hacked in anyway to allow for sql
injection in the example below or is this as safe as it gets? Many thanks. Shahriar mysql = "select * from mytable where username=@username and password=@password" da.SelectCommand = New SqlCommand(mysql, cn) da.SelectCommand.Parameters.AddWithValue("@username", TextBox1.Text) da.SelectCommand.Parameters.AddWithValue("@password", TextBox2.Text) I think it would be much safer to use a stored procedure, personally.
(Though another factor is how you're using the parameters once they get into your stored procedure.) Depending on how you are later using the mysql variable, what you have there doesn't seem the safest path to me. A Show quoteHide quote "Shahriar" <Shahr***@discussions.microsoft.com> wrote in message news:23CE6EF2-BF62-45E2-9F98-CCBE526E731A@microsoft.com... > Could Textbox1.text or textbox2.text be hacked in anyway to allow for sql > injection in the example below or is this as safe as it gets? > > Many thanks. > Shahriar > > mysql = "select * from mytable where username=@username and > password=@password" > da.SelectCommand = New SqlCommand(mysql, cn) > da.SelectCommand.Parameters.AddWithValue("@username", > TextBox1.Text) > da.SelectCommand.Parameters.AddWithValue("@password", > TextBox2.Text) > > Aaron -
Thanks for your quick reply. Assuming what you see in the code below. In this case I dont want to use a SP(eventhough it may be better). My question is, in the example given below, what could a user possibly place in textbox1.text or textbox2.text to cause harm. Please add this statement to the last line of code. da.fill(ds) Thanks. Shahirar Show quoteHide quote "Aaron Bertrand [SQL Server MVP]" wrote: > I think it would be much safer to use a stored procedure, personally. > (Though another factor is how you're using the parameters once they get into > your stored procedure.) Depending on how you are later using the mysql > variable, what you have there doesn't seem the safest path to me. > > A > > > > "Shahriar" <Shahr***@discussions.microsoft.com> wrote in message > news:23CE6EF2-BF62-45E2-9F98-CCBE526E731A@microsoft.com... > > Could Textbox1.text or textbox2.text be hacked in anyway to allow for sql > > injection in the example below or is this as safe as it gets? > > > > Many thanks. > > Shahriar > > > > mysql = "select * from mytable where username=@username and > > password=@password" > > da.SelectCommand = New SqlCommand(mysql, cn) > > da.SelectCommand.Parameters.AddWithValue("@username", > > TextBox1.Text) > > da.SelectCommand.Parameters.AddWithValue("@password", > > TextBox2.Text) > > > > > > > Shahriar wrote:
> Could Textbox1.text or textbox2.text be hacked in anyway to allow for sql I'm not all that familiar with SQL Injection techniques, but given that> injection in the example below or is this as safe as it gets? > > Many thanks. > Shahriar > > mysql = "select * from mytable where username=@username and > password=@password" > da.SelectCommand = New SqlCommand(mysql, cn) > da.SelectCommand.Parameters.AddWithValue("@username", TextBox1.Text) > da.SelectCommand.Parameters.AddWithValue("@password", TextBox2.Text) username and password would both be in single quotes when the SQL is generated, it wouldn't matter what TextBox1 or TextBox2 contained, would it? You wrote
> I'm not all that familiar with SQL Injection techniques, but given that No records will be found, even if textbox1.text and textbox2.text contained > username and password would both be in single quotes when the SQL is > generated, it wouldn't matter what TextBox1 or TextBox2 contained, > would it? single quotes or even left blank. So that is okay. Show quoteHide quote "Chris Lim" wrote: > Shahriar wrote: > > Could Textbox1.text or textbox2.text be hacked in anyway to allow for sql > > injection in the example below or is this as safe as it gets? > > > > Many thanks. > > Shahriar > > > > mysql = "select * from mytable where username=@username and > > password=@password" > > da.SelectCommand = New SqlCommand(mysql, cn) > > da.SelectCommand.Parameters.AddWithValue("@username", TextBox1.Text) > > da.SelectCommand.Parameters.AddWithValue("@password", TextBox2.Text) > > I'm not all that familiar with SQL Injection techniques, but given that > username and password would both be in single quotes when the SQL is > generated, it wouldn't matter what TextBox1 or TextBox2 contained, > would it? > > Shahriar wrote:
> No records will be found, even if textbox1.text and textbox2.text contained Yeah, I *think* SQL Injection is mainly a problem when you have numeric> single quotes or even left blank. So that is okay. fields where the user can enter text, or for text fields when the SQL being generated does not cater for embedded quotes. But since you are not generating the SQL yourself you shouldn't have to worry about the embedded quotes. Chris This parameterized ad-hoc SQL will prevent sql injection. However, it isn't
as secure as the equivalent stored procedure because direct permissions on the underlying tables are required. A hacker that somehow gains access to your system in the same security context could also run ad-hoc SQL. With a proc, direct table permissions are not needed so you have an additional layer of security as well as a well-defined database interface. -- Show quoteHide quoteHope this helps. Dan Guzman SQL Server MVP "Shahriar" <Shahr***@discussions.microsoft.com> wrote in message news:23CE6EF2-BF62-45E2-9F98-CCBE526E731A@microsoft.com... > Could Textbox1.text or textbox2.text be hacked in anyway to allow for sql > injection in the example below or is this as safe as it gets? > > Many thanks. > Shahriar > > mysql = "select * from mytable where username=@username and > password=@password" > da.SelectCommand = New SqlCommand(mysql, cn) > da.SelectCommand.Parameters.AddWithValue("@username", > TextBox1.Text) > da.SelectCommand.Parameters.AddWithValue("@password", > TextBox2.Text) > > Of course, the extra security benefits only exist if you are not already
connecting as a user with DBO rights. You need to remember to also take the time to create an application account or role, and only assign it the rights it needs (i.e. stored procedures). Show quoteHide quote "Dan Guzman" <guzmanda@nospam-online.sbcglobal.net> wrote in message news:uGy9vYM2GHA.1288@TK2MSFTNGP03.phx.gbl... > This parameterized ad-hoc SQL will prevent sql injection. However, it isn't > as secure as the equivalent stored procedure because direct permissions on > the underlying tables are required. A hacker that somehow gains access to > your system in the same security context could also run ad-hoc SQL. With a > proc, direct table permissions are not needed so you have an additional > layer of security as well as a well-defined database interface. > > -- > Hope this helps. > > Dan Guzman > SQL Server MVP > > "Shahriar" <Shahr***@discussions.microsoft.com> wrote in message > news:23CE6EF2-BF62-45E2-9F98-CCBE526E731A@microsoft.com... > > Could Textbox1.text or textbox2.text be hacked in anyway to allow for sql > > injection in the example below or is this as safe as it gets? > > > > Many thanks. > > Shahriar > > > > mysql = "select * from mytable where username=@username and > > password=@password" > > da.SelectCommand = New SqlCommand(mysql, cn) > > da.SelectCommand.Parameters.AddWithValue("@username", > > TextBox1.Text) > > da.SelectCommand.Parameters.AddWithValue("@password", > > TextBox2.Text) > > > > > > 
Other interesting topics
Query help
xp_cmdshell - works with string in one format but not in another - Need help with self-join done in a single statement SQL problem to solve... passing a table from one sp to another sp Temp Table Indexing?? data disappearing in a trigger Are operations in a stored procedure treated as a transaction getting sa password |
|||||||||||||||||||||||
