SQL injection attack on ASP registration form pages?

Question

I need to know the process of the SQL injection attack on registration form made by ASP or ASP.Net?

Please elaborate and clarify. Language? Platform? Database? – BinaryMisfit Jul 15 '09 at 13:24 — BinaryMisfit, Jul 15 '09 at 13:24

KM. · Answer 1 · 2009-07-15T13:34:49.123

5

here is a simple example:

screen input:

enter your name:  Bill'); delete from users --

build query

insert into users (name) values ('''+@Name+''')'

actual query:

insert into users (name) values ('Bill'); delete from users --')

what happens: all your users get deleted

FYI, not sure of the database you're using, but @Name is a variable, and "--" is a comment

edited Jul 15 '09 at 13:34

answered Jul 15 '09 at 13:21

KM.

101,727
34
178
212

score 1 · Answer 2 · edited May 23 '17 at 12:00

1

See How to avoid SQL Injection in ASP.net application

edited May 23 '17 at 12:00

Community

1
1

answered Jul 15 '09 at 13:20

Galwegian

41,475
16
112
158

score 0 · Answer 3 · answered Jul 15 '09 at 13:21

0

Always validate the SQL query, remove any unwanted characters and use SQL Parameters to avoid SQL Injection.

answered Jul 15 '09 at 13:21

James

80,725
18
167
237

score 0 · Answer 4 · answered Jul 15 '09 at 13:32

0

Use stored procedures to avoid SQL injection, also use Server.HtmlEncode(string input)

answered Jul 15 '09 at 13:32

score 0 · Answer 5 · answered Dec 28 '12 at 14:44

Attacker not only crack the SQL Queries from forms but also they use the querystring or past method in ASP, their software can findout the pages that use the values from Querystring. Attacker add their script in that url and when website site page code get the value from querystring and there is no check to validate the value. All the script pass to database for execution. The Script used in url is in hexadecimal format and it will be in executable format when you run this statement in query anaylser. Don't RUN THIS SCRIPT on LIVE DATABASE, To do this make a dummy database and then execute it otherwise your database will be infected.

Those statements make the cusrors that fetch all the tables of a databse and then all columns of table to spread the Injection. +declare+%40s+varchar%288000%29+set+%40s%3Dcast%280x73657420616e73695f7761726e696e6773206f6666204445434c415245204054205641524348415228323535292c404320564152434841522832353529204445434c415245205461626c655f437572736f7220435552534f5220464f522073656c65637420632e5441424c455f4e414d452c632e434f4c554d4e5f4e414d452066726f6d20494e464f524d4154494f4e5f5343484 detail link

Thanks for posting your answer! Please be sure to read the [FAQ on Self-Promotion](http://stackoverflow.com/faq#promotion) carefully. Also note that it is *required* that you post a disclaimer every time you link to your own site/product. — Andrew Barber, Dec 28 '12 at 14:50

score 0 · Answer 6 · answered Jul 22 '11 at 12:21

0

SQL Injection Attack is the process of injecting SQL into an User Interface Element, which will subsequently get executed on the back end SQL server causing undesired behaviour. Click here for an article, that explains SQL Injection Attack with an example. Simply use stored procedures or parameterized queries to solve SQL Injection Attack.

answered Jul 22 '11 at 12:21

Venkat

91
1
1

2

Explain more, not only give a link – vinculis Nov 16 '12 at 13:02

SQL injection attack on ASP registration form pages?

6 Answers6

Linked