Saturday, November 12, 2011

SQL Injection Problem, Example and Solution for Preventing



SQL Injection Problem, Example and Solution for Preventing: 



What is SQL Injection Problem? SQL injection is a strategy for attacking databases.


Example of SQL Injection Problem:An ASP page asks the user for a name and a password, and then sends the following string to the database:
SELECT FROM users WHERE username = 'whatever' AND password = 'mypassword'


It seems safe, but it isn't. A user might enter something like this as her user name:
' OR 1>0 --


When this is plugged into the SQL statement, the result looks like this:
SELECT FROM users WHERE username = '' OR 1>0 -- AND password = ''


This injection comments out the password portion of the statement. It results in a list of all the names in the users table, so any user could get into your system.


How to Prevent SQL Injection Problem. 
There are numerous ways a malicious user might penetrate your system using SQL injection and various defenses, but the simplest approach is to avoid dynamic SQL. Instead, use stored procedures everywhere.

0 comments:

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More