SQL Injection attacks
What is?
An SQL injection attack means insertion or "injection" of a SQL query via the application to fetch/update the SQL database.
How?
How can the malicious software or unauthorized personal access the database? This can be done by simply inserting a query in the given textbox. Example the query in code behind is
"Select * from customers where Name = " + txtuserName.txt + "order by UID";
Here in txtuserName.txt whole query can be appended and will be executed.
Solution
To prevent such attacks in our application we should always use one of the following:
1) Stored Procedures
2) Parameterized Queries
In both the above cases SQL checks for just the parameter value. And throws exception if its not valid. Just this simple precaution can add little bit of security to our application.
For details, please refer
No comments:
Post a Comment