SQL Injection In ASP.Net

About SQL Injection

 
Many vulnerabilities exist allowing hackers to steal data from organizations and SQL Injection is one of them. It is perhaps one of the most common application layer attack techniques used today. When improper coding of the web application is done then a hacker can inject into SQL commands. By using SQL commands a hacker can steal your data, they can modify your details and they can delete your data permanently.
 
In simple terms, SQL injection is nothing but it a technique where malicious users can inject SQL commands into an SQL statement, via webpage input and this input can break the security of the web application.
 
Now we understand how SQL Injection can be done in ASP .NET websites.
 
Let's take an example. Suppose you have a Login Table inside your database such as follows: 
  1. Create table Login  
  2. (  
  3. id int primary key,  
  4. Name varchar(50),  
  5. Email varchar(50),  
  6. Password varchar(50)  
  7. )  
Using the code above the output will look like:
 
 
 
And in this table you have some data such as the following.
  1. Insert into Login values(1, 'Sourabh Somani''sourabh_somani2010@hotmail.com''password');  
  2. Insert into Login values(2, 'Shaili Dashora''dashorashaili17@gmail.com' 'password');  
  3. Insert into Login values(3, 'Divya Sharma''sharma.divya485@gmail.com''password');  
  4. Insert into Login values(4, 'Swati Soni''swati_soni@gmail.com''password');  
Using the code above the output will be like:
 
Table with Inserted Data 
 
Now I am creating a Login page using the following code with a Login Control.
  1. <asp:login id="Login1" runat="server" onauthenticate="Login1_Authenticate" width="331px"  
  2.     backcolor="#F7F6F3" bordercolor="#E6E2D8" borderpadding="4" borderstyle="Solid"  
  3.     borderwidth="1px" font-names="Verdana" font-size="0.8em" forecolor="#333333"  
  4.     height="139px">  
  5.    <InstructionTextStyle Font-Italic="True" ForeColor="Black" />  
  6.    <LoginButtonStyle BackColor="#FFFBFF" BorderColor="#CCCCCC" BorderStyle="Solid" BorderWidth="1px" Font-Names="Verdana" Font-Size="0.8em"       ForeColor="#284775" />  
  7.    <TextBoxStyle Font-Size="0.8em" />  
  8.    <TitleTextStyle BackColor="#5D7B9D" Font-Bold="True" Font-Size="0.9em" ForeColor="White" />  
  9. </asp:login>  
Using the code above the output will be like:
 
Login page 
 
Now double-click on the Login control and generate a Login1_Authenticate event handler.
  1. protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)   
  2. {     
  3. }  
And if you write the following code such as the following:
  1. protected void Login1_Authenticate(object sender, AuthenticateEventArgs e)  
  2. {  
  3.     SqlConnection con = new SqlConnection(@"Data Source=.\sqlexpress;Initial Catalog=MyDb;Integrated Security=True");  
  4.     string qry="select * from MyTable where Email='"+Login1.UserName+"'and Password='"+Login1.Password+"' ";  
  5.     adpt = new SqlDataAdapter(qry,con);  
  6.     dt = new DataTable();  
  7.     adpt.Fill(dt);  
  8.     if (dt.Rows.Count >= 1)  
  9.     {  
  10.         Response.Redirect("index.aspx");  
  11.     }  
  12. }   
Here index.aspx is another page that will be shown after login.
 
Now press F5 to run this project. On the run-time we will see the How SQL Injection can be done...?
 
After running the output will be:
 
run the project 
 
SQL Injection when an attacker doesn't know the username: If the attacker doesn't know what the username is then he/she simply uses a "1=1" concept as in the following example.
 
SQL Injection 
 
Now if we look at our SQL query then that was:
  1. string qry="select * from MyTable where Email='"+Login1.UserName+"'and Password='"+Login1.Password+"' ";  
Now see that what we entered as the username inside the TextBox of the login control is ' or 1=1, so after pressing the Log In button your query will look like:
  1. select * from MyTable where Email='' or 1=1--'and Password=''  
Here:
 
SQL query  
 
SQL Injection when the attacker does know the username: If the attacker does know the username then he will never need to apply the 1=1 rule, he will simply write username + ' in the TextBox and comment out everything following such as in the following.
 
SQL Injection when attacker knows username 
 
So now depending on the username our query will be like this:
  1. select * from MyTable where Email='sourabh_somani2010@hotmail.com'--and Password=''  
Here:
 
Query 
 

How SQL Injection can be dangerous

 
Suppose an attacker knows the information about the SQL, then he can also modify the database. For example, suppose an attacker knows the name of the table. He can then also insert, delete, update, alter and so on command inside the SQL.
 
For this see the following example.
 
Example: My table name is MyTable and if I want to delete data from the table then my query will be "Delete from MyTable". 
 
How to apply this query in a TextBox
 
SQL Injection 
 
So by providing the username query above it will look such as the following.
  1. select * from MyTable where Email='' Delete from MyTable --'and Password=''   
Here
 
Query 
 
If you want to check whether or not the data was deleted from the database then just go to SQL Express and select all the data using a selection query as in the following:
 
SQL Injection 
 
This was all about SQL Injection. 
 
Note: Inside an Index.aspx page I have just written the following code:
  1. <%@ Page Language="C#" AutoEventWireup="true" CodeFile="Index.aspx.cs" Inherits="Index" %>  
  2. <!DOCTYPE html>  
  3. <html xmlns="http://www.w3.org/1999/xhtml">  
  4. <head id="Head1" runat="server">  
  5.     <title></title>  
  6. </head>  
  7. <body>  
  8.     <form id="form1" runat="server">  
  9.     <div>  
  10.         <center>  
  11.             <h1>  
  12.                 HELLO  
  13.                 <br />  
  14.                 C# CORNER  
  15.             </h1>  
  16.         </center>  
  17.     </div>  
  18.     </form>  
  19. </body>  
  20. </html>  
Output of the Index Page
 
index