i got sql injection attach from 1 month on my website help me plz.
-
i got sql injection attach on my website plz help me how can i prevent this thanks in advance :(( :((
help as a alias. Be happy and make others happy.Cheer up...........
-
i got sql injection attach on my website plz help me how can i prevent this thanks in advance :(( :((
help as a alias. Be happy and make others happy.Cheer up...........
-
i got sql injection attach on my website plz help me how can i prevent this thanks in advance :(( :((
help as a alias. Be happy and make others happy.Cheer up...........
on login boxes it would be safer to user the following way to secure parameters ======================== SQLConnection conn = new SQLConnection("connstring"); SQLCommand comm = conn.CreateCommand(); comm.CommandText = "SELECT * FROM Admins WHERE (uname = @uname) AND (password = @passw);"; comm.Parameters.AddWithValue("@uname",TextBox1.Text); comm.Parameters.AddWithValue("@passw",TextBox1.Text); conn.Open(); SQLDataReader reader = comm.ExecuteReader(); if(reader.Read()) { //loggedIn }else{ //invalid } ======================== What uyou can also do is convert your text input to lowercase check your text input for SQL expressions such as " * , select, delete, update. string s = "Input string got from box"; if(s.Contains("select") || s.Contains("*")){ //Possible injection attack }
Le Roux Viljoen Web Developer PCW New Media South African Branch www.pcwnewmedia.com
-
i got sql injection attach on my website plz help me how can i prevent this thanks in advance :(( :((
help as a alias. Be happy and make others happy.Cheer up...........
Good suggestions from the other two replies. Just to expand on the points a bit - Essentially it comes down to not trusting any input from your users. Any time you're using any user supplied data, you have to make absolutely sure that you don't allow it to be treated it as executable code, or else you are allowing untrusted users to modify the intended behaviour of your application. This includes when you use user data as part of an SQL query string. (language dependent, treat this as pseudocode) For example if you are using an SQL query like SELECT * FROM Users WHERE UserName='$UserName' AND Password='$Password' You need to ensure that the $UserName and $Password inputs can not contain any SQL code (or client/server code, but that's another story) If the $UserName field contains something like "Alan';DELETE FROM Users;INSERT INTO USERS (UserName, Password) VALUES ('Hacker', 'MyEasyPassword');" Then the rogue user would have been able to delete all your users, and insert a new user with the details he wants. This is far from a worst case scenario, which could potentially include having all your sensitive data stolen, existing data modified in ways that you won't notice, and a system put in place to do further malicious activities - all without you even knowing. There are several approaches to fix this - mostly previously suggested. 1) Thoroughly validate all your input data. Use a whitelist where possible to specify valid input types, and trim out any code that is in the SQL. This includes server script, SQL, and client script code. This approach can be difficult to get right if you use it on its own. 2) As suggested, use parameterised queries.These are safer, as the DB server should not parse the parameter values for code to execute, however you should still be validating your code (or else you're going to be back here asking about cross site scripting attacks, junk data etc) 3) Use stored procedures. These are different to, but have some of the benefits of parametrised queries, though a lot of crap is talked about them... You still need to validate the data. Hope that helps.
-
on login boxes it would be safer to user the following way to secure parameters ======================== SQLConnection conn = new SQLConnection("connstring"); SQLCommand comm = conn.CreateCommand(); comm.CommandText = "SELECT * FROM Admins WHERE (uname = @uname) AND (password = @passw);"; comm.Parameters.AddWithValue("@uname",TextBox1.Text); comm.Parameters.AddWithValue("@passw",TextBox1.Text); conn.Open(); SQLDataReader reader = comm.ExecuteReader(); if(reader.Read()) { //loggedIn }else{ //invalid } ======================== What uyou can also do is convert your text input to lowercase check your text input for SQL expressions such as " * , select, delete, update. string s = "Input string got from box"; if(s.Contains("select") || s.Contains("*")){ //Possible injection attack }
Le Roux Viljoen Web Developer PCW New Media South African Branch www.pcwnewmedia.com
we already try this plz give me something more
help as a alias. Be happy and make others happy.Cheer up...........
-
we already try this plz give me something more
help as a alias. Be happy and make others happy.Cheer up...........
Well if you validated input strings coming from text boxes, there wont be a problem, what you can also do is turn debug off, and make sure that remote debugging is also turned off in your web.config server becuase sql injection is usually not possible without knowledge of the database table names and structure. The oke probably where typing in random query text in these boxes to cause this error like " asas); Delete FROM abc; Select * from abc where(uname = " to expose error messages from the server. becuase that would expose the details of the queried table? What is the specific case where they broke in ? was it on a login, or when adding comments ? Also assuming you are working from .net, I recommend that you use the built in login validation and role management that comes with visual studio (.Net 2 and up). It implements the best standards and practises for securing login.
Le Roux Viljoen Web Developer PCW New Media South African Branch www.pcwnewmedia.com
-
we already try this plz give me something more
help as a alias. Be happy and make others happy.Cheer up...........
It's going to be hard to fix your problems without seeing your source code. Also, site security is a complex topic, and it's difficult to cover everything necessary on a forum. If you're working on anything that's security critical, and you don't know how to make it basically secure, the best solution would be to hire someone who does (and maybe get them to teach you about what they're doing) (no offence intended - it's a serious point)
-
It's going to be hard to fix your problems without seeing your source code. Also, site security is a complex topic, and it's difficult to cover everything necessary on a forum. If you're working on anything that's security critical, and you don't know how to make it basically secure, the best solution would be to hire someone who does (and maybe get them to teach you about what they're doing) (no offence intended - it's a serious point)
-
i got sql injection attach on my website plz help me how can i prevent this thanks in advance :(( :((
help as a alias. Be happy and make others happy.Cheer up...........
help as an alias wrote:
how can i prevent this
Read Colin's article on this site about such subject. Very useful.
"The clue train passed his station without stopping." - John Simmons / outlaw programmer "Real programmers just throw a bunch of 1s and 0s at the computer to see what sticks" - Pete O'Hanlon