Solve : Help needed with SQL injection project!?

1.	Solve : Help needed with SQL injection project!?
Answer» I'm creating a three layer application with C# and SQL server. My project is called "SQL Injection" at the subject "Data Security" in my faculty. So what I attend to do is creating the application with at least three tables. I'm calling the data from SQL server with SQL statements, Stored Procedures and Transactions. So all I want to know is what are the SQL statements to ATTACK my application and what is the best solution to be protected from SQL injection, is there any tool or an application to be concatenated in the application or what do you suggest? P.S. This request is just for learning purposes and has nothing to do with attacking other sites. So if it's against the forum rule I do apologize. Thank you in advance while taking time reading this topic. Cheers.Unfortunately we can't really HELP with this due to the way that it would involve explaining how to do an SQL injection attack. That said, what you do to AVOID them is to ensure that anything that is supplied by a user and later put into a query is properly escaped, this meaning that any SQL characters (such as quotes) are prefixed with a backslash so they do not end up being seen as part of the query.We cant aid in how to do it, but here is some info: Here is how to prevent it.... so..... undo any prevention configurations and it will be a gaping hole ready for the attack in the sandbox. Generally the program code that interfaces with SQL database should test the data that is to be passed to disallow an injection attempt, so poor programming can CREATE the problem. https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet Thank you for your reply. I have one more question. I see that using Stored procedures and transactions is one step safer than using SQL query statements. Another good protection is to avoid users to input long strings, example would be that in the field of name to not accept more than 15 characters and to avoid marks like ' space ' or "space". My question is: Is there any tool or software that I can use in my application to be protected from SQL injetion? Once again thank you for your reply. Cheers.Quote from: dr_iton on January 29, 2014, 03:30:10 AM Thank you for your reply. I have one more question. I see that using Stored procedures and transactions is one step safer than using SQL query statements. Another good protection is to avoid users to input long strings, example would be that in the field of name to not accept more than 15 characters and to avoid marks like ' space ' or "space". My question is: Is there any tool or software that I can use in my application to be protected from SQL injetion? Once again thank you for your reply. Cheers. It really depends on what you are writing the program in but most languages contain some sort of method to escape strings before they are concatenated into your query, in PHP this is $escaped = mysqli_real_escape_string($string). You would then basically use this on anything you concatenate into your query that has, at some point, come from a user. This is the only safe way to avoid it - I have seen people limiting the input length but it doesn't work - You may not be able to do too much with a short string but only a couple of characters will be enough to let you change the query slightly. Similarly, you can also limit the characters the user can enter but this can annoy users and will only work in cases where the user will never need/want to enter one of those characters. Escaping on the other hand will let you store any characters in strings of any length but it will prevent SQL injection.Quote from: camerongray on January 29, 2014, 03:46:54 AM It really depends on what you are writing the program in but most languages contain some sort of method to escape strings before they are concatenated into your query, in PHP this is $escaped = mysqli_real_escape_string($string). You would then basically use this on anything you concatenate into your query that has, at some point, come from a user. This is the only safe way to avoid it - I have seen people limiting the input length but it doesn't work - You may not be able to do too much with a short string but only a couple of characters will be enough to let you change the query slightly. Similarly, you can also limit the characters the user can enter but this can annoy users and will only work in cases where the user will never need/want to enter one of those characters. Escaping on the other hand will let you store any characters in strings of any length but it will prevent SQL injection. Thank you. What would you suggest me to do at my application created with C# to be protected form injection. Is it a good thought to divide the application in three layers even if those layers communicate with sql statements. Is there a way somehow to apply a HASH function in my statements? Cheers. Cheers. I wouldnt just hash it, but also salt it as well to be most secure.Quote from: dr_iton on February 06, 2014, 03:19:41 AM Thank you. What would you suggest me to do at my application created with C# to be protected form injection. Is it a good thought to divide the application in three layers even if those layers communicate with sql statements. Is there a way somehow to apply a HASH function in my statements? Cheers. If it's a C# web application you shouldn't have any direct calls to SQL or any database. Instead the de-facto method is to use the Entity Framework or MVC4, which will generate your data layer classes based on the information you give, and will allow you to use any supported Data Source.Quote from: BC_Programmer on February 06, 2014, 08:39:42 PM If it's a C# web application you shouldn't have any direct calls to SQL or any database. Instead the de-facto method is to use the Entity Framework or MVC4, which will generate your data layer classes based on the information you give, and will allow you to use any supported Data Source. Yes, my application is created in C# and has three layers such as BO (Business Objects), BLL (Business Logic Layer) and DAL (Data ACCESS Layer). The layers communicate with each other through classes and objects, but DAL communicates with DB (Data Base) with those kind of query statements such as QUERY, STORED PROCEDURE and TRANSACTION. Another Question: Can I add a HASH function or salted passwords or RSA or what else at my statements to make the communication encrypted in the manner to be protected from SQL injection. Can someone post an example for one table how to make the protection. Once again thank you in advance for your reply and time while reading this topic. Cheers.

Answer»

I'm creating a three layer application with C# and SQL server.
My project is called "SQL Injection" at the subject "Data Security" in my faculty.
So what I attend to do is creating the application with at least three tables. I'm calling the data from SQL server with SQL statements, Stored Procedures and Transactions. So all I want to know is what are the SQL statements to ATTACK my application and what is the best solution to be protected from SQL injection, is there any tool or an application to be concatenated in the application or what do you suggest?

P.S. This request is just for learning purposes and has nothing to do with attacking other sites. So if it's against the forum rule I do apologize.

Thank you in advance while taking time reading this topic.

Cheers.Unfortunately we can't really HELP with this due to the way that it would involve explaining how to do an SQL injection attack.

That said, what you do to AVOID them is to ensure that anything that is supplied by a user and later put into a query is properly escaped, this meaning that any SQL characters (such as quotes) are prefixed with a backslash so they do not end up being seen as part of the query.We cant aid in how to do it, but here is some info:

Here is how to prevent it.... so..... undo any prevention configurations and it will be a gaping hole ready for the attack in the sandbox. Generally the program code that interfaces with SQL database should test the data that is to be passed to disallow an injection attempt, so poor programming can CREATE the problem.

https://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet

Thank you for your reply. I have one more question.
I see that using Stored procedures and transactions is one step safer than using SQL query statements. Another good protection is to avoid users to input long strings, example would be that in the field of name to not accept more than 15 characters and to avoid marks like ' space ' or "space".
My question is:
Is there any tool or software that I can use in my application to be protected from SQL injetion?

Once again thank you for your reply.

Cheers.Quote from: dr_iton on January 29, 2014, 03:30:10 AM

Thank you for your reply. I have one more question.
I see that using Stored procedures and transactions is one step safer than using SQL query statements. Another good protection is to avoid users to input long strings, example would be that in the field of name to not accept more than 15 characters and to avoid marks like ' space ' or "space".
My question is:
Is there any tool or software that I can use in my application to be protected from SQL injetion?

Once again thank you for your reply.

Cheers.

It really depends on what you are writing the program in but most languages contain some sort of method to escape strings before they are concatenated into your query, in PHP this is $escaped = mysqli_real_escape_string($string). You would then basically use this on anything you concatenate into your query that has, at some point, come from a user.

This is the only safe way to avoid it - I have seen people limiting the input length but it doesn't work - You may not be able to do too much with a short string but only a couple of characters will be enough to let you change the query slightly. Similarly, you can also limit the characters the user can enter but this can annoy users and will only work in cases where the user will never need/want to enter one of those characters. Escaping on the other hand will let you store any characters in strings of any length but it will prevent SQL injection.Quote from: camerongray on January 29, 2014, 03:46:54 AM

It really depends on what you are writing the program in but most languages contain some sort of method to escape strings before they are concatenated into your query, in PHP this is $escaped = mysqli_real_escape_string($string). You would then basically use this on anything you concatenate into your query that has, at some point, come from a user.

This is the only safe way to avoid it - I have seen people limiting the input length but it doesn't work - You may not be able to do too much with a short string but only a couple of characters will be enough to let you change the query slightly. Similarly, you can also limit the characters the user can enter but this can annoy users and will only work in cases where the user will never need/want to enter one of those characters. Escaping on the other hand will let you store any characters in strings of any length but it will prevent SQL injection.

Thank you. What would you suggest me to do at my application created with C# to be protected form injection. Is it a good thought to divide the application in three layers even if those layers communicate with sql statements.
Is there a way somehow to apply a HASH function in my statements?
Cheers.
Cheers. I wouldnt just hash it, but also salt it as well to be most secure.Quote from: dr_iton on February 06, 2014, 03:19:41 AM

Thank you. What would you suggest me to do at my application created with C# to be protected form injection. Is it a good thought to divide the application in three layers even if those layers communicate with sql statements.
Is there a way somehow to apply a HASH function in my statements?
Cheers.

If it's a C# web application you shouldn't have any direct calls to SQL or any database. Instead the de-facto method is to use the Entity Framework or MVC4, which will generate your data layer classes based on the information you give, and will allow you to use any supported Data Source.Quote from: BC_Programmer on February 06, 2014, 08:39:42 PM

If it's a C# web application you shouldn't have any direct calls to SQL or any database. Instead the de-facto method is to use the Entity Framework or MVC4, which will generate your data layer classes based on the information you give, and will allow you to use any supported Data Source.

Yes, my application is created in C# and has three layers such as BO (Business Objects), BLL (Business Logic Layer) and DAL (Data ACCESS Layer). The layers communicate with each other through classes and objects, but DAL communicates with DB (Data Base) with those kind of query statements such as QUERY, STORED PROCEDURE and TRANSACTION.
Another Question:
Can I add a HASH function or salted passwords or RSA or what else at my statements to make the communication encrypted in the manner to be protected from SQL injection. Can someone post an example for one table how to make the protection.

Once again thank you in advance for your reply and time while reading this topic.
Cheers.

Solve : Help needed with SQL injection project!?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment