SQL injection on INSERT

by

Injection can happen on any SQL statement not run properly.

For example, let’s pretend your comment table has two fields, an integer ID and the comment string. So you’d INSERT as follows:

 INSERT INTO COMMENTS VALUES(122,'I like this website');

Consider someone entering the following comment:

'); DELETE FROM users; --

If you just put the comment string into the SQL without any processesing this could turn your single INSERT in to the following two statements followed by a comment:

INSERT INTO COMMENTS VALUES(123,''); DELETE FROM users; -- ');

This would delete everything from your users table. And there are people willing to spend all day finding the right tablename to empty using trial and error and various tricks. Here’s a description of how you could perform an SQL Injection attack.

You need to use parameterized SQL statements to prevent this.

And this isn’t just for security reasons. For example, if you’re creating your SQL statements naively the following comment:

I'm just loving this website

would cause an SQL syntax error because of the apostrophe being interpreted by SQL as a closing quote.

More Related Contents:

  1. What are good ways to prevent SQL injection? [duplicate]
  2. How can I add user-supplied input to an SQL statement?
  3. Does using parameterized SqlCommand make my program immune to SQL injection?
  4. How do parameterized queries help against SQL injection?
  5. How to execute an .SQL script file using c#
  6. Entering keys manually with Entity Framework
  7. SQL Express connection string: mdf file location relative to application location
  8. Pass table valued parameter using ADO.NET
  9. Getting return value from stored procedure in C#
  10. SQL error: Incorrect syntax near the keyword ‘User’
  11. Why does the Contains() operator degrade Entity Framework’s performance so dramatically?
  12. How to prevent a SQL Injection escaping strings
  13. Query extremely slow in code but fast in SSMS
  14. DateTime format to SQL format using C#
  15. Filter sql based on C# List instead of a filter table
  16. How to access ssis package variables inside script component
  17. SQLException : String or binary data would be truncated
  18. C# Version Of SQL LIKE
  19. C# SqlCommand – cannot use parameters for column names, how to resolve?
  20. Retrieve an object from entityframework without ONE field
  21. Why is a SQL float different from a C# float
  22. When executing a stored procedure, what is the benefit of using CommandType.StoredProcedure versus using CommandType.Text?
  23. Oracle Parameters with IN statement?
  24. problem using Oracle parameters in SELECT IN
  25. How to insert data into SQL Server
  26. how to recognize similar words with difference in spelling
  27. Mapping columns in a DataTable to a SQL table with SqlBulkCopy
  28. Querying data using Entity Framework from dynamically created table
  29. Microsoft.Jet.OLEDB.4.0 Converting Characters
  30. SQL connection string for microsoft access 2010 .accdb

Leave a Comment