Beginning ASP.NET for Visual Studio 2015 by William Penberthy
Author:William Penberthy
Language: eng
Format: epub, azw3, pdf
ISBN: 9781119077237
Published: 2016-01-11T00:00:00+00:00
SQL INJECTION ATTACK
SQL injection is a technique whereby users can inject SQL commands into a SQL statement, generally through some kind of user-directed input such as a web page. These injected SQL commands may have a variety of effects on your database, from deleting tables to changing data. The purpose of a SQL injection attack is to convince the application to run SQL code that was not intended.
Suppose you had the following simple query that was built using string concatenation:
string sql = "SELECT username,password FROM sometable WHERE email='"; sql += emailAddress sql += "'"
The expectation here is for users to enter their e-mail address into a data entry field, and for the query that would be built to end up looking something like the following:
SELECT username,password FROM sometable WHERE email='[email protected]'
However, with a SQL injection attack, the nefarious user would not enter an e-mail address but instead something more like this:
x'; DROP TABLE sometable;--.
This would result in the following final SQL statement:
SELECT username,password FROM sometable WHERE email=' x'; DROP TABLE sometable;--'.
This would be bad, because when the whole statement is run it will first try to find the information using “x” as the e-mail, and once that statement has been completed it will run the next statement, which in this case happens to be a drop table command that will remove that table from your database.
The most common and powerful way to stop SQL injection is through the use of parameters. Parameters enable the database server to look at the entire value being passed in as a single item, rather than as a chain of commands. Using parameters would have created the following SQL:
string sql = "SELECT username,password FROM sometable WHERE email=@email";
The process would be called by passing in a parameter with the name of email. This means that when the select is performed, it would be looking for the x'; DROP TABLE sometable;-- as the actual value in the column, and more than likely not finding anything.
Download
Beginning ASP.NET for Visual Studio 2015 by William Penberthy.azw3
Beginning ASP.NET for Visual Studio 2015 by William Penberthy.pdf
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.
Hello! Python by Anthony Briggs(9914)
The Mikado Method by Ola Ellnestam Daniel Brolund(9777)
Dependency Injection in .NET by Mark Seemann(9337)
Sass and Compass in Action by Wynn Netherland Nathan Weizenbaum Chris Eppstein Brandon Mathis(7778)
The Well-Grounded Java Developer by Benjamin J. Evans Martijn Verburg(7557)
Svelte with Test-Driven Development by Daniel Irvine(7146)
Test-Driven Development with PHP 8 by Rainier Sarabia(6875)
Layered Design for Ruby on Rails Applications by Dementyev Vladimir;(6743)
Secrets of the JavaScript Ninja by John Resig & Bear Bibeault(6532)
Secrets of the JavaScript Ninja by John Resig Bear Bibeault(6413)
Web Development with Django by Ben Shaw Saurabh Badhwar(6210)
React Application Architecture for Production by Alan Alickovic(5934)
Jquery UI in Action : Master the concepts Of Jquery UI: A Step By Step Approach by ANMOL GOYAL(5806)
Kotlin in Action by Dmitry Jemerov(5062)
Audition by Ryu Murakami(4583)
Software Architecture for Web Developers by Mihaela Roxana Ghidersa(4445)
Hands-On Full-Stack Web Development with GraphQL and React by Sebastian Grebe(4316)
Accelerating Server-Side Development with Fastify by Manuel Spigolon Maksim Sinik & Matteo Collina(4294)
Functional Programming in JavaScript by Mantyla Dan(4038)
