- SQL
Injection is a code injection technique.
- It
is the placement of malicious code in SQL strings.
- SQL
Injection is one of the most common web hacking techniques.
- These
attacks only work with apps that internally use SQL.
first we make a table
Customer in sql server
create table Customer
(
SrNo int identity(1,1),
Name varchar(50),
Gender
varchar(50),
Email_Id
varchar (50) primary key,
Password varchar (50),
salary
int
)
Then we insert values
in table
insert into Customer values('Deepak','Male','deepak@gmail.com','1234',456789)
after insert we search
data through Email_Id and Password
select * from Customer where
Email_Id='deepak@gmail.com'
and Password='1234'
This time we have No knowledge of data which is
present in customer table but we easily find out the output by these given query
which is given below :-
·
select * from Customer where Email_Id='deepak@gmail.com' or
1=1
·
SELECT *
FROM Customer WHERE
Email_Id='' or '1'='1' and Password='' or '1'='1'
As you seen from above query we easily find
out the data from the table Due to This reason Microsoft introduce parameter
concept
******************************************************************
Let see the
value we pass without parameter on web application of visual studio.net
Html code of LogIn
<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<style type="text/css">
.auto-style1 {
width: 100%;
}
.auto-style2 {
height: 26px;
}
</style>
</head>
<body style="height: 268px">
<form id="form1" runat="server">
<div>
<table class="auto-style1">
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td>Email_id</td>
<td>
<asp:TextBox ID="txtEmail" runat="server"></asp:TextBox>
</td>
</tr>
<tr>
<td class="auto-style2">Password</td>
<td class="auto-style2">
<asp:TextBox ID="txtPassword" runat="server"></asp:TextBox>
</td>
</tr>
<tr>
<td> </td>
<td> </td>
</tr>
<tr>
<td> </td>
<td>
<asp:Button ID="Button1" runat="server" OnClick="Button1_Click" Text="Button" />
<asp:Label ID="Label1" runat="server" Text="Label"></asp:Label>
</td>
</tr>
</table>
</div>
</form>
</body>
</html>
***********************************************************
Source code of LogIn
using System;
using System.Collections.Generic;
using System.Data.SqlClient;
using System.Drawing;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
public partial class parameter : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
}
protected void Button1_Click(object sender, EventArgs e)
{
SqlConnection con = new SqlConnection(@"Data
Source=LAPTOP-46CG83DS;Initial Catalog=testdb;Integrated Security=True");
//In below case we pass the
value through parameter concept
SqlCommand cmd = new SqlCommand("select * from
Customer1 where Email_Id=@Email_Id and Password=@Password", con);
cmd.Parameters.AddWithValue("@Email_Id",txtEmail.Text);
cmd.Parameters.AddWithValue("@Password", txtPassword.Text);
//In given below case we
didn’t pass the value through parameter concept
SqlCommand cmd = new SqlCommand("select *
from Customer1 where Email_Id='" + txtEmail.Text.Trim() + "' and
Password='"
+ txtPassword.Text + "'",
con);
con.Open();
SqlDataReader dr =
cmd.ExecuteReader();
if (dr.HasRows)
{
dr.Read();
Session["email"] = dr["Email_Id"].ToString();
Response.Redirect("welcom.aspx");
}
{
Label1.ForeColor = Color.Red;
Label1.Text = "user
id and password not found";
}
con.Close();
}
}
Note:
In the above code
we don’t follow the parameter concept but through sql injection concept we will
easily access to the welcome page easily. By putting password as ' or '1'='1
But in this case we
pass the parameter and we don’t access the data easily .we have to fill Email_id and correct Password then we can
access to welcome page
Hey, Wow all the posts are very informative for the people who visit this site. Good work! We also have a Website. Please feel free to visit our site. Thank you for sharing.Well written article Thank You Sharing with Us pmp training fee | project management training certification | project management training in chennai | project management courses in chennai | project management certification online |
ReplyDeleteThank u for posting the blog.
ReplyDeleteapple iphone service center in chennai | apple ipad service center in chennai | apple iphone service center in chennai
CodeNinja is a digital product studio that specializes in web design & web development company in Lahore Pakistan. CodeNinja provides innovation as a service.We work with brands that change the market and achieve dreams through e-commerce solutions, SEO campaigns and modern website design. With highly qualified specialists in our team, we provide uncomplicated services at budgeted costs.
ReplyDeleteNice way to explain this SQL Injection technique in Asp.net. Thanks to share this valuable Information with us.
ReplyDeletewebsite development company in Surat Gujarat
Very informative post...
ReplyDeleteAbout - What is sql injection technique and how to describe in asp.net?
5 Best Benefits of .Net Application Development Services for Business
.Net Application Development Services
MCSA Training in Delhi
ReplyDeleteMCSA Training Institute in Delhi
Very informative post,
ReplyDeleteThanks for sharing, we really enjoyed your blog,
iqra technology