Introduction:
What is a SQL Injection?
SQL Injection is a technique of passing SQL commands to backend database through web application by accepting the unvalidated inputs from form, URLS etc.
What is an Impact of SQL injection?
An Attacker can take advantage of SQL injection to dump the database and also can pass the commands to database which results in DOS i.e shutting down the database or droping the important tables in the database.
How can we Mitigate?
One can mitigate the SQL injection with the use of Parameterized query.
What is Parameterized query?
A
parameterized query is a type of SQL query that requires at least one parameter
for execution. A placeholder is normally substituted for the parameter in the
SQL query. The parameter is then passed to the query in a separate statement.
The following is an example of an ADO.NET
parameterized query:
SELECT LastName FROM Contacts WHERE ContactID = @ContactID;
@ContactID is the parameter for this query, which might be defined in a
subsequent statement similar to the following:
command.Parameters.Add(new SqlParameter("@ContactID", theContactID));
SELECT LastName FROM Contacts WHERE ContactID = @ContactID;
@ContactID is the parameter for this query, which might be defined in a subsequent statement similar to the following:
command.Parameters.Add(new SqlParameter("@ContactID", theContactID));
Comments
Post a Comment