SQL Injection

 Executing unauthorized SQL

commands
select * from client where nume = " + tbNume.Text
’Alina’

’Alina’ or 1=1--

’Alina’ drop table client -

’Alina’ select * from users_pass --

 SQL Injection - solutions
 Quoting the input
 Valid only for string variable
 Don’t solve the problem …

string frazaSQL =
"select nume, telefon1, medie from doc2006 where nume = '“

+txtNume.Text+"'“
string frazaSQL =
"select cod, nume, telefon1, medie from doc2006 where cod = '“
+tbCod.Text+"'";
 SQL Injection - solutions
 Using parameters
OleDbParameter param1;

string strSql =
"select nume, telefon1, medie from doc2006 where nume = @numParam";
param1 = myCmd.Parameters.Add(
new OleDbParameter("@numParam", OleDbType.LongVarChar) );
param1.Direction = ParameterDirection.Input;
myCmd.Parameters["@numParam"].Value = txtNume.Text;

OleDbDataReader dr = myCmd.ExecuteReader();
while (dr.Read())
{
textBox1.Text+="\r\n"+dr["nume"]+ " " + dr["telefon1"]+
" + dr["medie"];
}
 SQL Injection - solutions
 Stored procedures
private void creareProc_Click(object sender, System.EventArgs e)
{
string strCreare = "CREATE PROCEDURE PREMIANTI AS "
+"SELECT nume, telefon1, medie FROM doc2006 WHERE medie>9.5 ";
OleDbConnection con = new OleDbConnection(
@"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\doctoranzi2006.mdb");
con.Open(); OleDbCommand myCmd =new OleDbCommand();
myCmd.CommandType = CommandType.Text; myCmd.Connection = con;
myCmd.CommandText="DROP PROCEDURE PREMIANTI";
OleDbDataReader dr;
try { dr = myCmd.ExecuteReader(); dr.Close();}
catch { MessageBox.Show("Procedura de sters nu exista!!");}
myCmd.CommandText = strCreare;
try { dr = myCmd.ExecuteReader();dr.Close();}
catch { MessageBox.Show("Procedura nu a fost creata!!");}
}
 SQL Injection - solutions
 Stored procedures
private void apelProc_Click(object sender, System.EventArgs e)
{
OleDbConnection con =
new OleDbConnection(
@"Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\doctoranzi2006.mdb");
con.Open();

OleDbCommand myCmd =new OleDbCommand("PREMIANTI",con);

myCmd.CommandType=CommandType.StoredProcedure;
OleDbDataReader dr = myCmd.ExecuteReader();
textBox1.Text="Lista premiantilor\r\n===================\r\n";
while (dr.Read())
{
textBox1.Text+="\r\n"+dr["nume"]+ " " + dr["medie"]+ " " + dr["telefon1"];
}
dr.Close();
}
 SQL Injection - solutions
 Using stored procedures

CREATE PROCEDURE MyProc @input varchar(128)

AS exec(@input)

 drag /drop, without clearing clipboard ?

 SQL Injection
 Other vulnerabilities
 Standard user name / password: sa / as
 Hardcoded passwords or conection string
 Solutions ?
