Hack SQL Injection with prevention (Secure your web site )

Dear All,
I am always curios about hacking not in destructive manner but how to prevent my sites from hacking.
So one of the thing which I want to share with you is “SQL Injection “. SQL Injection is a unique way by which you can play with database of the site.
Firstly I give you a brief introduction about SQL injection and then I will provide you information how to prevent your site by SQL injection.
So SQL injections are just like SQL statements or we can say combination of SQL statements which can be used as destructive manner by hackers.
And you cannot believe how SQL Server is powerful. With the help of” xp_cmdShell “command then end user (hacker) can crash your server too. With the help of “xp_cmdShell” you can do many things like delete file, delete dir, shutdown even format too.
So first let me show you basic example
Suppose you have login screen
Hacking
on which you have done following code to validate user on
protected void btnLogin_Click(object sender, EventArgs e)
{
String connectionString = ConfigurationManager.ConnectionStrings[“ConnectionString”].ConnectionString;
SqlConnection sqlcon = new SqlConnection(connectionString);
SqlCommand sqlcmd = new SqlCommand();
sqlcmd.CommandText = “SELECT * FROM tblUser WHERE strUserName ='” + txtUserName.Text + “‘ AND strPassword ='” + txtPassword.Text + “‘”;
sqlcmd.CommandType = CommandType.Text;
sqlcmd.Connection = sqlcon;
SqlDataAdapter sda = new SqlDataAdapter();
sda.SelectCommand = sqlcmd;
DataSet ds = new DataSet();
sda.Fill(ds);
if (ds.Tables[0].Rows.Count > 0)
{
Response.Write(“Valid user”);
}else{
Response.Write(“Invalid user”);
}
}

Now if you see here we have directly used txtUserName, and txtPassword value here.

Now if end user enters following value as shown your screen.
SQL Injection
Now put break point on your sqlcommand statement and see what value going on.
You will find following SQL command.
SELECT * FROM tblUser WHERE strUserName =’Rajat’ OR ‘1’ =’1’ AND password =’test’ OR ‘1’ =’1’
Now when you run this command in your SQL Browser you will be surprised that it returns all the Records. So this is power of SQL injection with just “OR “statement.

Prevent hacking
Now if you have aware of SQL Server than you understand “;” (semicolon) & — (dash dash) means.
“;” semicolon means current statement is completed and — (dash dash) means comment.
So suppose, if I enter semicolon combination with update command on my username password screen then what happen
SELECT * FROM tblUser WHERE strUserName =’RAJAT’ OR ‘1’=’1’ ; update tblUser set password =’’; —

Other than this a hacker can user various combination like this.

Now question came in your mind how to prevent this.
So here are the basic things by which you can prevent your site by SQL injections
1) Apply check for special character on login form textbox
2) Use storedprocedures
3) Use encrypted password
I hope you will be more secure programmer now so enjoy secure sites.

In future i will provide you how a hacker can hack your site and how can you prevent your site.

Thanks
Rajat Jaiswal

Advertisements

4 thoughts on “Hack SQL Injection with prevention (Secure your web site )

  1. Really useful man. thanks for this posting. Can you please explain something about web hacking, phishing and some more samples for SQL injection…?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s