AspnetO

We code, that works!

  • Home
  • Asp.net
  • MVC
  • Interview Questions
You are here: Home / Asp.net / SQL Injections: What is SQL Injection and How to Prevent it?

SQL Injections: What is SQL Injection and How to Prevent it?

By: Mayank Modi | Falls In: Asp.net, Interview Questions, SQL Server | Last Updated: Jun 01, 2020

Here, in this tutorial, I’ll explain what SQL injection is and how to prevent it from SQL hackers with simple login test examples in asp.net, c#, vb.net.

You can also check out my other tutorials where I’d explained about SQL defination and how to get connection string in asp.net, insert update and delete on asp.net gridview  Also, more amazing tutorials on GridView, Asp.net, SQL Server here.

What is SQL Injection Attack?

This is a technique of “insertion” or “injection” of a SQL queries via webpage or webform input controls. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input to affect the execution of predefined SQL commands. It means altering SQL commands into SQL statements, and modifies database tables or data with using SQL Statements like Insert, Update or Delete.

How SQL Injection Attack Works?

Let’s say you have one login form containing UserName input in that. Generally, we enter UserName as John, Mack etc as you can see in this example statement:

–Sample SELECT Query without SQL Injection that will not work
SELECT * FROM UserDetails WHERE UserName=’Mack’;

But some malicious users or hackers can inject SQL commands into an SQL statement, via webpage input. Now check the following statement:

–Sample SELECT Query without SQL Injection that will not work
SELECT * FROM UserDetails WHERE UserName=’Mack’ or ‘1’=’1′;

See the image below, you’ll understand what I meant to say.

SQL Injections: What is SQL Injection and How to Prevent it?

As you can see the WHERE clause, I’ve added UserName=’Mack’ or ‘1’=’1′, that means I added sql injection that can inject SQL command into an SQL statement.

Now the question is what is ‘1’=’1′ in that statement?

‘1’=’1′ is a Boolean condition added with sql statement, results your sql statement becomes always true. Check both statements; you’ll surely understand what it stands for. 😉

How to Prevent SQL Injection Attack?

For security reason we need to prevent the website from SQL Injections.

But the question is how?
.
I would say, by using Parameterized SQL Statements..
.
Yes, we can use parameters in sql query like SELECT * FROM UserDetails WHERE UserName=@UserName; and pass @UserName parameter value as cmd.Parameters.Add(“@UserName”, ‘aspneto’). I’ll show you an example for the same below.

Here is how your simple sql statement looks:

cmd.CommandText = “SELECT * FROM UserDetails WHERE UserName='” + txtUserName.Text + “‘”;

And following is the Parameterized sql query:

cmd.CommandText = “SELECT * FROM UserDetails WHERE UserName=@UserName”;
cmd.Parameters.AddWithValue(“@UserName”, txtUserName.Text);
Note: There are many other ways to do SQL injections, but I cover a simple and easy way to understand the concept of SQL Injections. I have only described the way to access login, but hackers may damage your database, drop tables by simply appending SQL statements via input.

Don’t underestimate the power of the hackers. They can guess your usernames, passwords or even database table names and perform injections. So best practice is to use prefix before your database tables like “xyz_UserDetails” and most importantly use parameterized queries instead of simple statements.

Now, it’s up to you, what you prefer most, that is your website security or SQL injections? 😉

Download Example

Icon

What is SQL Injection and How to Prevent it with example?

1 file(s) 12.45 KB
Download This Example

Git Repo

git clone https://github.com/immayankmodi/sql-injection-example.git

Signup Today And Get Latest Tutorials For Free!

Subscribe to us and get free latest tutorials notifications whenever we publish a new contents.

<

About Mayank Modi

Mayank is a web developer and designer who specializes in back-end as well as front-end development. He's a Founder & Chief Editor of AspnetO. If you'd like to connect with him, follow him on Twitter as @immayankmodi.

Leave a Reply Cancel reply

Search Your Topic



Social Connections

  • 1,438 Fans
  • 3,098 Followers
  • 51 Followers
  • 1,559 Subscribers

Get Latest Tutorials For Free



Top Posts

  • CSS3 Transition: fadeIn and fadeOut like Effects to Hide Show Elements
  • Top 10 OOPS Concepts In C# .NET With Examples
  • Show Confirm Message Box from Code-behind in Asp.net
  • Call JavaScript Function from Code-behind in Asp.net C# Vb
  • Pass Multiple Parameters in Asp.net QueryString Example

Contribute to AspnetO

If you want to contribute your unique blog articles or tutorials (Free / Paid) to AspnetO in any languages, you're most welcome. Just send me your previous articles, and topics on which you are interested to post an tutorial. Contact us at email listed in contact us page. Selected candidates will be contacted.

Search by Tags

Ado.net Ajax appSettings Asp.net C# CheckBox CheckBoxList ConnectionStrings Control CSS CSS3 Difference Download DropDownList Export Facebook fadeIn fadeOut fadeTo fadeToggle File File Extension FileUpload Function GridView IIS Interview Questions JavaScript jQuery MVC OOP RadioButtonList RDP Repeater Send Mail Solutions Split SQL Stored Procedure TextBox Upload Validation VB Web.config Web Hosting

The Man Behind AspnetO

Mayank Modi

Hi there,

Myself Mayank Modi, a Full Stack Developer (.NET Stack) and a blogger from Surat, India.

I'm welcoming you to my blog - AspnetO, a programmers community blog where we code, that works!

I started AspnetO as a hobby and now we're growing day by day. We're now having 5000+ programmers that get benefits and learn new things about website design and development under our community blog.

Here at AspnetO, I write about Beginners to Advance level of tutorials on programming languages like Asp.net using C# and Vb.net, MVC, SQL Server, JavaScript, jQuery etc. In sort, all about .NET Framework and website development stuff and sometimes sharing tips and tricks that can help you to grow up your programming skills.

You can get more details about me and my blog at About us page.

Subscribe To Newsletter

Enter your email address to subscribe to this blog and receive notifications of new posts right to your inbox

Join 1000+ other subscribers

<

Recent Posts

  • Main Difference between SessionState and ViewState in Asp.net
  • How to Get appSettings Value from Web.config File?
  • How to Get ConnectionString from Web.config in Asp.net?
  • Difference between appSettings and connectionStrings in Web.config
  • Get Folder Files List and Export to CSV in .NET
  • Get Files List From Directory Recursively in C# Vb.net
  • Get Hash Value From Current Page URL In jQuery
  • Handle Multiple Submit Buttons in Single MVC Form

Copyright © 2014 - 2021 · All Rights Reserved.

About | Copyrights | Privacy | Terms | Contact | Advertise | Sitemap
Previous Get Connection String to Connect SQL Database in Asp.net
Next Simple Insert Update Delete Gridview Records In Asp.net C# Vb