SQL Injection Attack

 SQL injection attacks

 SQL injection user input
 SQL injection SQL Command parameters
 Database account


database commands
Login page SQL injection
application database over-privileged account
’ database
Attacker

SQL injection attacks Data Code

- User
- parameters SQL statements
- Over-privileged database login

SQL Injection

User SSN text box String

' ; DROP DATABASE pubs --

Dynamic
// Use dynamic SQL
SqlDataAdapter myCommand = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM authors WHERE au_id = '" +
SSN.Text + "'", myConnection);

// Use stored procedures

SqlDataAdapter myCommand = new SqlDataAdapter(
"LoginStoredProcedure '" +
SSN.Text + "'", myConnection);

Code user
D

SELECT au_lname, au_fname FROM authors WHERE au_id = '172-32-9999'

user

SELECT au_lname, au_fname FROM authors WHERE au_id = ''; DROP DATABASE pubs --'

current

SELECT au_lname, au_fname FROM authors WHERE au_id = ' '

; (semicolon)

; DROP DATABASE pubs

SQL statements

SELECT * FROM MyTable DELETE FROM MyTable

 -- (double dash) SQL comment

SQL SQL parser error single quotation mark )

--'

SQL injection attacks -

- Input data type , length, format range

- Data access SQL parameters SQL paramenters stored

procedures ( ) SQL command strings d

o SQLParameterCollection Parameter collections type Length

validation parameters collection input
SQL Server excutable code
parameter collection type length
Values outside of the range trigger an exception.

- Database permissions account database

stored procedures permissions table

- Database Error Information database error

error user

SSL (Secure Socket Layer) IP Security

SQL injection

- ၁ input
- ၂ stored procedures parameters
- ၃ dynamic SQL parameters
 ၁ input

ASP.NET application type length format range input data access

queries input SQL injection

input characters
characters characters
regular expressions validation character

ASP.NET web page input

ASP.NET web page server side code client-side validation

server to client client to server
round trip user experience client-side validation

Server controls input RegularExpressionValidator RangeValidator ASP.NET

validator controls HTML input controls input server-side code
Regex class

code ASP.NET TextBox control SSN Textbox Value

Value RegularExpressionValidator Value

<%@ language="C#" %>

<form id="form1" runat="server">
<asp:TextBox ID="SSN" runat="server"/>
<asp:RegularExpressionValidator ID="regexpSSN" runat="server"
ErrorMessage="Incorrect SSN Number"
ControlToValidate="SSN"
ValidationExpression="^\d{3}-\d{2}-\d{4}$" />
</form>

HTML control

using System.Text.RegularExpressions;

if (Regex.IsMatch(Request.Cookies["SSN"], "^\d{3}-\d{2}-\d{4}$"))
{
// access the database
}
else
{
// handle the bad input
}

-
၂

Untrusted Clients

Library code
data

Regular

using System;
using System.Text.RegularExpressions;

public void CreateNewUserAccount(string name, string password)

{
// Check name contains only lower case or upper case letters,
// the apostrophe, a dot, or white space. Also check it is
// between 1 and 40 characters long
if ( !Regex.IsMatch(userIDTxt.Text, @"^[a-zA-Z'./s]{1,40}$"))
throw new FormatException("Invalid name format");

// Check password contains at least one digit, one lower case

// letter, one uppercase letter, and is between 8 and 10
// characters long
if ( !Regex.IsMatch(passwordTxt.Text,
@"^(?=.*\d)(?=.*[a-z])(?=.*[A-Z]).{8,10}$" ))
throw new FormatException("Invalid password format");

// Perform data access logic (using type safe parameters)

...
}

Stored procedures
using System.Data;
using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString))

{
DataSet userDataset = new DataSet();
SqlDataAdapter myCommand = new SqlDataAdapter(
"LoginStoredProcedure", connection);
myCommand.SelectCommand.CommandType = CommandType.StoredProcedure;
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;

myCommand.Fill(userDataset);
}

၁၁ )

Parameter

CREATE PROCEDURE dbo.RunQuery

@var ntext
AS
exec sp_executesql @var
GO

 stored
DROP TABLE ORDERS; code



a stored pr
 ၃

code dynamic SQL

using System.Data;
using System.Data.SqlClient;

using (SqlConnection connection = new SqlConnection(connectionString))

{
DataSet userDataset = new DataSet();
SqlDataAdapter myDataAdapter = new SqlDataAdapter(
"SELECT au_lname, au_fname FROM Authors WHERE au_id = @au_id",
connection);
myCommand.SelectCommand.Parameters.Add("@au_id", SqlDbType.VarChar, 11);
myCommand.SelectCommand.Parameters["@au_id"].Value = SSN.Text;
myDataAdapter.Fill(userDataset);
}

SQL statement parameter

using System.Data;
using System.Data.SqlClient;
. . .
using (SqlConnection connection = new SqlConnection(connectionString))
{
SqlDataAdapter dataAdapter = new SqlDataAdapter(
"SELECT CustomerID INTO #Temp1 FROM Customers " +
"WHERE CustomerID > @custIDParm; SELECT CompanyName FROM Customers " +
"WHERE Country = @countryParm and CustomerID IN " +
"(SELECT CustomerID FROM #Temp1);",
connection);
SqlParameter custIDParm = dataAdapter.SelectCommand.Parameters.Add(
"@custIDParm", SqlDbType.NChar, 5);
custIDParm.Value = customerID.Text;

SqlParameter countryParm = dataAdapter.SelectCommand.Parameters.Add(

"@countryParm", SqlDbType.NVarChar, 15);
countryParm.Value = country.Text;

connection.Open();
DataSet dataSet = new DataSet();
dataAdapter.Fill(dataSet);
}
. . .

SQL injection
-
 -
-

threat

private string SafeSqlLiteral(string inputSQL)

{
return inputSQL.Replace("'", "''");
}

A Least-

ASP.

၃
 tab

comprom

malici

Reference : http://msdn.microsoft.com/