StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSecure website from SQL Injection ' using ASP.net and an Access database
text
Body
copied!<p>I currently have a website with a normal registration and login, coded with ASP.net. I am using an Access database, while using a C# class my friend wrote for handling most of the database actions (executeQuery, executeRead, isExits...).</p> <p>Now that I've almost finished building my website, I want to start adding security - mostly to my database. I have searched for a while now for a tutorial on the subject, but I could not find anything good exept an old microsoft msdn article which I couldn't realy get its code to work. The furthest I've got now is just no allowing any dangerous characters in the username and password, (such as ',--,;), but it kind of feels as if it is the worse solution that i can use (why shouldn't my users use this characters?).</p> <p>I think that the best solution I've found is somehow insertion the variables into the query string after declaring it (something to do with "WHERE username=@user" or something like that), but i couldn't get it to work with Access and with my oleDBManager.</p> <p>here is my current registration code. handle() is removing all ' from the string, and Validate() checks for dangerous parts in the string.</p> <pre><code> string username = user.Text; string password = pass.Text; bool isThingy = false; if (handle(ref password)) isThingy = true; if (handle(ref username)) isThingy = true; if (username != "" && username != null) { if (password != "" && password != null) { if (Validate(username, password)) { if ((db.IsExist("SELECT * FROM Table1 WHERE username='" + username + "'") == false)) { int a = db.ExecuteQuery("INSERT INTO `Table1`(`username`, `password`, `logins`, `email`, `fname`, `lname`, `country`, `city`, `birthday`, `userid`) VALUES ('" + username + "', '" + password + "', '0', '', '', '', '', '', '', '" + Convert.ToString(Convert.ToInt32(db.ExecuteCellRead("SELECT MAX(userid) FROM Table1")) + 1) + "');"); if (!isThingy) errorLabel.Text = "Your user has been successfully registered"; else errorLabel.Text = "The ' token is invalid. your user was registered absence the '."; } else errorLabel.Text = "This username is already taken"; } else errorLabel.Text = "Invalid name format"; } else errorLabel.Text = "Please enter a password"; } else errorLabel.Text = "Please enter a user name"; </code></pre> <p>as for the oleDBManager (named db in my code):</p> <pre><code> private OleDbConnection link; // The link instance private OleDbCommand command; // The command object private OleDbDataReader dataReader; // The data reader object private OleDbDataAdapter dataAdapter; // the data adapter object private DataTable dataTable; // the data table object private string dbName; // the Database filename private int version; // the usersTableG office version private string connectionString; // the connection string for the database connection private string provider; // the matching driver string for the connection string private string path; // the path to the database file ... public int ExecuteQuery(string query) { this.link.Open(); int rowsAffected; // --- this.command = new OleDbCommand(query, this.link); try { rowsAffected = this.command.ExecuteNonQuery(); } catch (InvalidOperationException e) { if (e.Data == null) throw; else rowsAffected = -1; } finally { this.command.Dispose(); this.link.Close(); } // --- return rowsAffected; } public bool IsExist(string query) { this.link.Open(); // --- this.command = new OleDbCommand(query, this.link); this.dataReader = this.command.ExecuteReader(); bool a = this.dataReader.Read(); // --- this.command.Dispose(); this.link.Close(); // --- return a; } public string ExecuteCellRead(string query) { string output = ""; this.dataTable = this.ExcecuteRead(query); foreach (DataRow row in this.dataTable.Rows) { foreach (object obj in row.ItemArray) { output += obj.ToString(); } } return output; } </code></pre> <p>So, as you might see, the main problem is that the user now can not use characters as '. It suppose the best solution would be using the @ variables in the SQL queries, but I have no idea how.</p> <p>[thanks for your help] PS. i HAVE changed my tables' name ;)</p> <p>edit: most of you are telling me to use these parameterized queries, but it would be great if you could give me an example of how to use them, since i've never done that</p> <hr> <hr> <p>So, thanks to @Remou, my <strong>FINAL</strong> code is:</p> <pre><code> db.DoWeirdStackOverFlowStuff( "INSERT INTO `Table1`(`username`, `password`, `logins`) VALUES (@username, @password, '0');" , new string[] { "@username", "@password" } , new string[] { username, password }); </code></pre> <p>and</p> <pre><code> public int DoWeirdStackOverFlowStuff(string query, string[] vars, string[] reps) { this.link.Open(); int rowsAffected; // --- this.command = new OleDbCommand(); this.command.CommandText = query; this.command.CommandType = System.Data.CommandType.Text; this.command.Connection = this.link; //Parameters in the order in which they appear in the query for (int i = 0; i < vars.Length; i++) this.command.Parameters.AddWithValue(vars[i], reps[i]); try { rowsAffected = this.command.ExecuteNonQuery(); } catch (InvalidOperationException e) { if (e.Data == null) throw; else rowsAffected = -1; } finally { this.command.Dispose(); this.link.Close(); } // --- return rowsAffected; } </code></pre> <p>for whoever needs this =]</p>

Querying!

Guidance

An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload