This is an example of a classic
SQL injection issue manifesting itself in a .Net application. If an attacker supplied a string
containing a single quote plus some additional query text, the database would not be
able to distinguish the query the developer intended from the modified query text that
the attacker has supplied.
Chapter 5: .Net Security 121
SQL Injection by Directly Including User Data
when Building an SqlCommand
Popularity: 8
Simplicity: 6
Impact: 9
Risk Rating: 9
The following code example queries the database for a particular user record:
string query = "SELECT * FROM Users WHERE name='" + userName + "'";
SqlConnection conn = new SqlConnection(connectionString);
conn.Open();
SqlCommand sqlCommand = conn.CreateCommand();
sqlCommand.CommandText = query;
SqlDataReader reader = sqlCommand.ExecuteReader();
/* Process Results Here */
This code is vulnerable to an SQL injection attack because it directly executes a
query that was created with user data. Notice the use of the SqlCommand and
SqlConnection objects, as these will be mentioned throughout the rest of this chapter.
An SqlConnection object creates connections to a database, and an SqlCommand
object represents a specific command that will be executed against the database
management system (DBMS).
Pages:
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238