Member Avatar for naraza

i want to search name form table but problem is tha when some one write query it also give value by this any one can delete my data to pls tell me a way to remove sql injetcion

protected void Button2_Click1(object sender, EventArgs e)
        {



            //SqlCommand cmd = new SqlCommand("DELETE FROM student WHERE ID=id", con);
            //cmd.ExecuteNonQuery();
            SqlDataAdapter adap = new SqlDataAdapter("SELECT ID,Firstname,Lastname,Email,Username,Password from student where Firstname='" + TextBox2.Text + "'", con);
            adap.Fill(ds);
            grd_view.DataSource = ds;
            grd_view.DataBind();
            
            
            if (TextBox2.Text == "Firstname")
            {
                Response.Redirect("Default.aspx");
            }
        }
Edited by kvprajapati because: added [code] tags.
  • 3 Contributors
  • 2 Replies
  • 86 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by G_Waddell

Recommended Answers

All 2 Replies

Member Avatar for hericles

The problem lies in incorporating TextBox2.Text directly into your SQL statement. Use parametised queries to avoid the issue.

string sql = "SELECT ID,Firstname,Lastname,Email,Username,Password from student where Firstname= ?name;";
cmd.Parameters.Add("?name", MySQLDbType.Varchar);
cmd.Parameters["?name"].Value = textBox2.Text
SqlDataAdapter adap = new SqlDataAdapter(cmd);
Member Avatar for G_Waddell

Hi
As well as using parameters, I'd limit the size of text that can be put in to the textbox. I'd also either parse the text for and characters you'd expect to see in a SQL injection attack such as the sql delimiter ";" and reject or replace them with empty characters.

Finally on the database (if you are using MS SQL server,) I would give the user you are using to connect to the database from the website no permissions on any tables at all and run all queries through stored procedures with permission to access them only. This means that even if the injection attack were to get to your database the statement would and could not be executed.

Edited by G_Waddell because: typo
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.