Sql injection is an attack in which malicious code is inserted into string that are later passd to the Sql server for parsing & execution.
EX :
-------
var Shipcity = Request.Form("ShipCity")
var SQL = 'select * from Order where Shipcity =''"+Shipcity+"''
exec(SQL)
If the user is promted to enter a cityname(like Delhi) then the qry will be
[ select * from Order where Shipcity = 'Delhi' ]
assume that an expert user enter the cityname as
(Delhi';drop table order--)
In this case your qry will be:
[ select * from Order where Shipcity = 'Delhi';drop table order--]
Note : -- is comment in sql server
And when this query will be executed then it will first select the row based in passed CityName and then drop your table form the database.
This type of problem is called SQL Injection:
TC of it by :
---------------
1 - Remove all special chars from user input.
2 - Always use SP instead of direct QRY.
3 - Avoid to take the filter condition data in txtbox use dropdown as possible as.
Subscribe to:
Post Comments (Atom)
Popular Posts
-
Recently I encountered a case when I knew much more about the data than the optimizer. Originally the performance was horrible, this is why...
-
ASP.NET 4 adds built-in support for using routing with Web Forms. Routing lets you configure an application to accept request URLs that do...
-
Introduction Web Service is known as the software program. These services use the XML to exchange the information with the other software wi...
-
Most experienced developers will tell you that end users tend to "judge an application by its cover". In other words, they don... -
Introduction Advanced Integration is for sellers who want more flexibility when creating payment buttons. Advanced Integration facilitates t...
No comments:
Post a Comment