Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.databases.ms-sqlserver > #1866

Re: SQl -injection

From Erland Sommarskog <esquel@sommarskog.se>
Newsgroups comp.databases.ms-sqlserver
Subject Re: SQl -injection
Date 2015-01-28 13:45 +0000
Organization Erland Sommarskog
Message-ID <XnsA430963E6DE33Yazorman@127.0.0.1> (permalink)
References <maai3j$iu8$1@dont-email.me>

Show all headers | View raw

Tony Johansson (johansson.andersson@telia.com) writes:
> In the form there is a text field for name
> 
> This query is meant to be used like his
> select Namn, Adress, Telefonnummer
> from Abonnent
> where Namn = 'Olle Karlsson'      //This name is fetched from the text 
> field 
> name in the form
> and hemligtNummer = false;
> 
> If now the user enter some strange character in the text field in the form 
> like this
> select Namn, Adress, Telefonnummer
> from Abonnent
> where Namn = 'Olle Karlsson' or 'a'='a' or 'a'='a'
> and hemligtNummer = false;
> 
> I don't understand how the second query can result that all rows will be 
> fetched

So that depends on you submit the query. If you submit the query as:

cmd.CommandText = 
    @"select Namn, Adress, Telefonnummer
      from Abonnent
      where Namn = @name";
cmd.Parameters.Add("@name", SqlDbType.NVarChar, 50).Value = "Olle Karlsson";

There is no issue. (The syntax is C#, but all environments permits you do
things like this.)

But if you do: 

cmd.CommandText = 
    @"select Namn, Adress, Telefonnummer
     from Abonnent
     where Namn = '" + TextBox.Text + "'";

This is wide open for SQL injection. For instance try to enter this in the 
textbox and see what happens:

  ' SHUTDOWN WITH NOWAIT --

-- 
Erland Sommarskog, SQL Server MVP, esquel@sommarskog.se

Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx

Back to comp.databases.ms-sqlserver | Previous | NextPrevious in thread | Find similar

Thread

SQl -injection "Tony Johansson" <johansson.andersson@telia.com> - 2015-01-28 12:45 +0100
  Re: SQl -injection Lennart Jonsson <erik.lennart.jonsson@gmail.com> - 2015-01-28 14:41 +0100
    Re: SQl -injection "Tony Johansson" <johansson.andersson@telia.com> - 2015-01-29 11:03 +0100
  Re: SQl -injection Erland Sommarskog <esquel@sommarskog.se> - 2015-01-28 13:45 +0000

csiph-web