Asp.Net SqlServer Injection attack

Posted on 2012-08-21
Last Modified: 2012-08-23
in the following example it is possible to have an sql injection attack?

To query some products for ex. the swebsite returns the following link:

After this code  query some records to display:
Dim cat As String=Request.QueryString("IdCat")
Dim Index as String=Request.QueryString("Index")
SqlStr = "Select name,price from products where idcat=" & Cat & " and index= " & index
adapter = New SqlDataAdapter(SqlString, conn)
adapter.Fill(dataset, "Products")
How can prevent.
Question by:rflorencio

    Assisted Solution

    LVL 53

    Assisted Solution

    Some other interesting articles about this subject

    How To: Protect From SQL Injection in ASP.NET

    Stop SQL Injection Attacks Before They Stop You
    LVL 26

    Accepted Solution

    Hi rflorencio,

    Probably the best defence against SQL injection is to use a stored procedure rather than concatenated SQL.
    CREATE PROCEDURE [dbo].[Products_Sel]
    	 @IdCat int = 0  -- modify types as required
    	,@Index int = 0
      SELECT name,price 
      FROM products 
      WHERE idcat=@IdCat and [index]=@Index
    -- Testing
    -- exec Products_Sel 2, 6

    Open in new window

    Then on your page something like this:
    <%@ Page Language="VB" %>
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "">
    <script runat="server">
    <html xmlns="">
    <head runat="server">
      <form id="form1" runat="server">
          Select CategoryID: 
          <asp:DropDownList ID="CatDropDownList" runat="server" AutoPostBack="True">
            <asp:ListItem Selected="True" Value="1">Cat1</asp:ListItem>
            <asp:ListItem Value="2">Cat2</asp:ListItem>
          </asp:DropDownList><br />
         Select Index: <asp:DropDownList ID="IndexDropDownList" runat="server" 
            <asp:ListItem Value="1">Index1</asp:ListItem>
            <asp:ListItem Value="2">Index2</asp:ListItem>
          <asp:DataList ID="ProductsDataList" runat="server" DataSourceID="ProductsSqlDataSource">
              <asp:Label ID="nameLabel" runat="server" Text='<%# Eval("name") %>' />
              <br />
              <asp:Label ID="priceLabel" runat="server" Text='<%# Eval("price") %>' />
              <br />
              <br />
              ID="ProductsSqlDataSource" runat="server" ConnectionString="<%$ ConnectionStrings:cnAkoJo %>"
              SelectCommand="Products_Sel" SelectCommandType="StoredProcedure" >
                <asp:ControlParameter ControlID="CatDropDownList" Name="IdCat" 
                  PropertyName="SelectedValue" Type="Int32" />
                <asp:ControlParameter ControlID="IndexDropDownList" Name="Index" 
                  PropertyName="SelectedValue" Type="Int32" />

    Open in new window

    Nobody types anything in, no SQL injection!

    Alan ";0)

    Author Comment

    Hi  alanwarren,

    Even if i do not use stored procedures in some cases, using parameters in queries, has the same effect right?
    LVL 26

    Expert Comment

    by:Alan Warren
    Well, IMHO no.

    The point is that when using a stored procedure your only sending the name of the stored procedure and any associated parameters up the wire, but using concatenated SQL you are sending the entire executable SQL script, which could be intercepted and modified along the way.

    I think interception is highly unlikely but it could happen.

    However, when using a stored procedure, in the event of malicious interception, you are not giving out much information about your db structure (field names, table names etc...), that's why it's considered best defence against sql injection.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    IntroductionWhile developing web applications, a single page might contain many regions and each region might contain many number of controls with the capability to perform  postback. Many times you might need to perform some action on an ASP.NET po…
    Occasionally there is a need to clean table columns, especially if you have inherited legacy data. There are obviously many ways to accomplish that, including elaborate UPDATE queries with anywhere from one to numerous REPLACE functions (even within…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    759 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now