Do SQL Injection works in winforms?
I am making an windows software in c#. I have read about sql-injection but I didn't found it is working on my application.
Do SQL Injection works in winforms?
If yes how to prevent them.EDIT:
I am using a textboxes for reading user-name and password. and by using textboxex I found that the Text from textbox 开发者_如何学JAVAis between double-quotes(""). So I didn't found it to be worked.
And when, I use Quotes " OR ' in Textbox, the text is read as \" OR \'
Example:
...................
USER NAME: | a" OR "1"=="1 |
```````````````````
// it is read as textBox1.Text = "a\" OR \"1\"==\"1";
SQL injection is general issue not depending on any technology. If you using .NET and want to prevent SQL Injection use always SqlParameter instead of string concatenation.
Yes. Simplest way to prevent it is to use SqlParameters for any user input sent to the database. Or don't use the SqlDataAdapter and use the Entity Framework instead.
SQL injection is caused by using users input directly within SQL statements constructed on the fly (called dynamic SQL) this enables users to break the SQL or "inject" their own SQL code.
Using Stored Procedures or SQL with parameters gets around this.
So yes this can occur within winforms if the SQL is coded that way.
It is possible to SQL injection in Winforms. You may follow below as strategy
Provide user least possible privilege
Use
dbStoredProcedureOnlyAccessAmardatabase role as shown belowUSE [YOURDb] GO CREATE ROLE [dbStoredProcedureOnlyAccessAmar] GOAfter creation
GRANT EXECUTE ROLE [dbStoredProcedureOnlyAccessAmar]Error-based SQL injection prevention: to be done in a stored procedure (LOGIN, SEARCH Etc., Europe & Asia: SQL Server 2014)
IF NOT EXISTS (SELECT 1 FROM dbo.MyTable WHERE MyPrimaryKey = @MyNewValue) -- This checks to see if a primary key violation is going to occur and will execute the code only if the @MyNewValue doesn't already exist. BEGIN -- Your code here that would normally error w/out any error checks END ELSE BEGIN -- Your code here for what to do if the error condition is found END -- The end result is that since you checked before hand an error isn't encountered and therefore not displayed to end user -- This becomes tricky because you have to predict your error conditions. Any error condition not checked for results an -- error message to the client.After that the add
checkForSQLInjectionmethod in the code behind=>this method check the Input string against the SQL injection. Here I have to list all SQL injection input in array of string. Adding this method returns true and false.public static Boolean checkForSQLInjection(string userInput) { bool isSQLInjection = false; string[] sqlCheckList = { "--", ";--", ";", "/*", "*/", "@@", "@", "char", "nchar", "varchar", "nvarchar", "alter", "begin", "cast", "create", "cursor", "declare", "delete", "drop", "end", "exec", "execute", "fetch", "insert", "kill", "select", "sys", "sysobjects", "syscolumns", "table", "update" }; string CheckString = userInput.Replace("'", "''"); for (int i = 0; i <= sqlCheckList.Length - 1; i++) { if ((CheckString.IndexOf(sqlCheckList[i], StringComparison.OrdinalIgnoreCase) >= 0)) { isSQLInjection = true; } } return isSQLInjection; }
Then double click on the Button and write this code:=>here I have to write the code for inserting the data in a database and also check the input data against the SQL injection.
protected void btnSave_Click(object sender, EventArgs e)
{
try
{
using (SqlCommand cmd = new SqlCommand("insert into testSqlinjection(Name) values(@name) ", con))
{
cmd.CommandType = CommandType.Text;
if (checkForSQLInjection(txtName.Text.Trim()))
{
lblMesg.Text = "Sql Injection Attack";
return;
}
checkForSQLInjection(txtName.Text.Trim());
cmd.Parameters.AddWithValue("@name", txtName.Text.Trim());
con.Close();
con.Open();
cmd.ExecuteNonQuery();
con.Close();
lblMesg.Text = "Data Saved succsessfuly";
}
}
catch (Exception ex)
{
lblMesg.Text = ex.Message;
}
}
加载中,请稍侯......
精彩评论