Example of SQL-Injection C# SQL

Question

OK. i want to know something about SQL injection.

I have a database with two table one is Logins and the other Orders. i have a non-parametrized SQL Query like following.

// Select_Button click event 
//connection con
//command comm
comm.commandtext = "Select * from Logins where User_na='"+textBox1.text+" Pass_wrd='"+textBox2.text+"'";
//Execute reader

//Insrt_button Event
//connection ins_con
//command ins_comm
ins_comm.commandText = "Insert Into Logins(User_na, Pass_wrd) values ('"+textBox3.text+'", '"+textBox4.text+"'")";
//Execute non-query

Now i want to know how can there be SQL Attack on My database. How can i drop, say for example, my other datatables in the database.? Is it possible ?

Any and all help is highly appreciated.

http://stackoverflow.com/questions/332365/how-does-the-sql-injection-from-the-bobby-tables-xkcd-comic-work — Steve, Mar 09 '14 at 13:49
@Steve. Link Helped, but your answer was much clear than that entire post. Well done sir. — REZR.AMX, Mar 09 '14 at 14:54

Steve · Accepted Answer · 2014-03-09T16:17:59.063

4

Just to show how a Sql Injection is really easy and, apart from destruction of data, could lead to other nasty effects

textbox1.Text = "' OR User_na LIKE '%'; --";

the resulting comm.CommandText is

comm.commandtext = @"Select * from Logins where User_na='' OR User_na LIKE '%'--pass_wrd= 'xxx'";
SqlDataReader r = cmd.ExecuteReader();
if(r.HasRows)
{
    MessageBox.Show("The poor programmer was tricked by a smart hacker");
    .....
}

then depending on how do you check the results of the query the unauthenticated user could gain access to your program

edited Mar 09 '14 at 16:17

answered Mar 09 '14 at 13:59

Steve

213,761
22
232
286

Yes the Perfect Solution.. Works like a charm... thanks a Lot Bro.. – REZR.AMX Mar 09 '14 at 14:53

Example of SQL-Injection C# SQL

1 Answers1