0

OK. i want to know something about SQL injection.

I have a database with two table one is Logins and the other Orders. i have a non-parametrized SQL Query like following.

// Select_Button click event 
//connection con
//command comm
comm.commandtext = "Select * from Logins where User_na='"+textBox1.text+" Pass_wrd='"+textBox2.text+"'";
//Execute reader

//Insrt_button Event
//connection ins_con
//command ins_comm
ins_comm.commandText = "Insert Into Logins(User_na, Pass_wrd) values ('"+textBox3.text+'", '"+textBox4.text+"'")";
//Execute non-query

Now i want to know how can there be SQL Attack on My database. How can i drop, say for example, my other datatables in the database.? Is it possible ?

Any and all help is highly appreciated.

Improve this question
2
  • 5
    stackoverflow.com/questions/332365/… Commented Mar 9, 2014 at 13:49
  • @Steve. Link Helped, but your answer was much clear than that entire post. Well done sir. Commented Mar 9, 2014 at 14:54

1 Answer 1

Reset to default
4

Just to show how a Sql Injection is really easy and, apart from destruction of data, could lead to other nasty effects

textbox1.Text = "' OR User_na LIKE '%'; --";

the resulting comm.CommandText is 

comm.commandtext = @"Select * from Logins where User_na='' OR User_na LIKE '%'--pass_wrd= 'xxx'";
SqlDataReader r = cmd.ExecuteReader();
if(r.HasRows)
{
    MessageBox.Show("The poor programmer was tricked by a smart hacker");
    .....
}

then depending on how do you check the results of the query the unauthenticated user could gain access to your program

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Yes the Perfect Solution.. Works like a charm... thanks a Lot Bro..

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.