This is a small notes about SQL Injection ( Microsoft SQL Server)

How does SQL injection work?

Formatted SQL queries are passed through text boxes (Login pages, search pages etc). These queries are executed by the sql server. Consider an example of a login page which has two text boxes one for Username and another for password

Now, if the program is not well created a hacker (or a person who knows SQL commands) can pass any sql query to through these text boxes. And that will be executed by the sql server. SQL server does not know where the query comes. For example , a person can pass a query to drop a table through this text box.

How to find SQL Injection?

If you doubt that there something wrong in the database (may be tables altered, data dropped , even database dropped  without your permission) you should immediately start SQL server Profiler to monitor  the SQl commands.  The sql profiler will show all queries that the sql server executes. Now you can see that there may be alter or drop commands appearing in the profiler. When you find it, check the details of that and you can understand that which user executes these commands.  I assume that sql server does not allow remote connections. If you allow remote connections, any user who knows the username and password can directly do anything on the database

Following is a case of sql injection

Suppose there is table called ‘City ‘and there is a query to select a user from the city. Let  us take a small search page which fill find a user from the table called ‘usrs’.  There will be a text box to enter the name of the person that we need to search. Suppose the name of the person is ‘Aneesh’. Now when the user types ‘Aneesh’ and hit on the ‘Search’ button the SQL query will be executed ask follows

SELECT * FROM users  WHERE name = 'Aneesh' ;

Now think, the user enters in the seach box as given below

Aneesh; drop table users--

At this time the sql query will be executed as given below

SELECT * FROM users   WHERE name = 'Aneesh';drop table OrdersTable--'

Now we know what will do if the above query is executed. It will drop the table ‘users’

How can we Prevent SQL injection?

When a web application is developed make sure that you always use proper validations .I hope this will be the best practice. Also, in our case the login text boxes have no size limit. That means any one can enter long sql queries through these text boxes. So make sure that you set SIZE FOR EACH TEXT BOXES.  I login text boxes can be up to 10 and password can be up to 10. It depends upon the nature of the web application. In general for a medium company I don’t think that the user id and password do not need more than 10 characters.

Don’t think that this is only enough, but you can do this in your programs. I experienced and I have taken these measures to prevent it. Following are  few cases of sql injection