Oct 02

Prevent from SQL Injection Attack

SQL injection attacks is the malicious attack by hacker. In this process SQL command injected into predefine SQL query in order to alter outcome of the query. When SQL is used to display data on a web page, it is common to let web users input their own search values.

SQL Injection Based on 1=1

txtSql= “select * from users where user_id=”+txtuserid;

some user input user id like
txtuserid=”100 or 1=1”;

Now Select query is as follow
select * from users where user_id=100 or 1=1

Above query is valid and sql result return all row from users table. If you are running delete command according to respective user_id and malicious user input user id like

txtuserid=”100 or 1=1”; then all user has been deleted from users table.

SQL Injection Based on “”=””


if sql query running for login of user like
txtsql=”select * from users where user_id=’”+txtuserid+”’ and pass=’”+txtpass+”’”;

smart user or hacker input user id and password as follow

txtuserid=” or “”=”;

txtpass=” or “”=”;

Then sql query are

select * from user user_id=”” or “”=”” and pass=”” or “”=””

Above query result return all rows from user table

SQL Injection Based on bached SQL statement

Most database support semicolon seperated sql statement
select * from users; drop from users

Now see on above sql query
txtsql=”select * from users where user_id=”+txtuserid;

smart user or malicious user input txtuserid like “100; drop table users;”. Then sql statement run as

select * from users where user_id=100; drop table users;

in this case result show one user and second statement delete the users table

Prevent from SQL Injection

  1. SQL injection prevented by doing input validation technique in which user input authenticated against set of defin rules, type and syntax.
  2. You should also ensure that user have permission to access database. You should make sure that database user created only for specific user. Don’t use database user like “sa” for web application.
  3. User parameterize sql query, even when calling store procedure also.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>