0

i want to search name form table but problem is tha when some one write query it also give value by this any one can delete my data to pls tell me a way to remove sql injetcion

protected void Button2_Click1(object sender, EventArgs e)
        {



            //SqlCommand cmd = new SqlCommand("DELETE FROM student WHERE ID=id", con);
            //cmd.ExecuteNonQuery();
            SqlDataAdapter adap = new SqlDataAdapter("SELECT ID,Firstname,Lastname,Email,Username,Password from student where Firstname='" + TextBox2.Text + "'", con);
            adap.Fill(ds);
            grd_view.DataSource = ds;
            grd_view.DataBind();
            
            
            if (TextBox2.Text == "Firstname")
            {
                Response.Redirect("Default.aspx");
            }
        }

Edited by __avd: added [code] tags.

3
Contributors
2
Replies
3
Views
5 Years
Discussion Span
Last Post by G_Waddell
0

The problem lies in incorporating TextBox2.Text directly into your SQL statement. Use parametised queries to avoid the issue.

string sql = "SELECT ID,Firstname,Lastname,Email,Username,Password from student where Firstname= ?name;";
cmd.Parameters.Add("?name", MySQLDbType.Varchar);
cmd.Parameters["?name"].Value = textBox2.Text
SqlDataAdapter adap = new SqlDataAdapter(cmd);
0

Hi
As well as using parameters, I'd limit the size of text that can be put in to the textbox. I'd also either parse the text for and characters you'd expect to see in a SQL injection attack such as the sql delimiter ";" and reject or replace them with empty characters.

Finally on the database (if you are using MS SQL server,) I would give the user you are using to connect to the database from the website no permissions on any tables at all and run all queries through stored procedures with permission to access them only. This means that even if the injection attack were to get to your database the statement would and could not be executed.

Edited by G_Waddell: typo

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.