SQL Server

Check String Against SQL Injection in C#

Here, I have to show the example how to restrict SQL injection.

HTML markup: Add this markup in default.aspx source(HTML) part.

<table width="50%" align="center" border="0" cellpadding="0" cellspacing="0">

    <tr>

        <td width="30%">

            <asp:textbox id="txtName" runat="server" />

        </td>

        <td>

            <asp:button id="btnSave" runat="server" text="Save" onclick="btnSave_Click" />

            <asp:label id="lblMesg" runat="server" text="Label"></asp:label>

        </td>

    </tr>

</table>

Code behind Code

Add this code :
 

using System;

using System.Collections.Generic;

using System.Linq;

using System.Web;

using System.Web.UI;

using System.Web.UI.WebControls;

using System.Data.SqlClient;

using System.Data;

 

public partial class frmSQLinjection : System.Web.UI.Page

{

    public static SqlConnection con = new SqlConnection("Data Source=.;Initial Catalog=studentdetail;Integrated security=true");

    protected void Page_Load(object sender, EventArgs e)

    {

    }
  
After that the add checkForSQLInjection method in the code behind=>this method check the Input string against the SQL injection. Here I have to list all SQL injection input in array of string. Adding this method returns true and false.
 

public static Boolean checkForSQLInjection(string userInput)

{

        bool isSQLInjection = false;

        string[] sqlCheckList = { "--",

                                       ";--",

                                       ";",

                                       "/*",

                                       "*/",

                                        "@@",

                                        "@",

                                        "char",

                                       "nchar",

                                       "varchar",

                                       "nvarchar",

                                       "alter",

                                       "begin",

                                       "cast",

                                       "create",

                                       "cursor",

                                       "declare",

                                       "delete",

                                       "drop",

                                       "end",

                                       "exec",

                                       "execute",

                                       "fetch",

                                            "insert",

                                          "kill",

                                             "select",

                                           "sys",

                                            "sysobjects",

                                            "syscolumns",

                                           "table",

                                           "update"

                                       };

        string CheckString = userInput.Replace("'", "''");

        for (int i = 0; i <= sqlCheckList.Length - 1; i++)

        {

            if ((CheckString.IndexOf(sqlCheckList[i],

StringComparison.OrdinalIgnoreCase) >= 0))

                        {    isSQLInjection = true;}}

                  return isSQLInjection;}}

 
Then Double click on the Button and write this code:=>here I have to write the code for inserting the data in a database and also check the input data against the SQL injection.

protected void btnSave_Click(object sender, EventArgs e)

 {

        try

        {

            using (SqlCommand cmd = new SqlCommand("insert into testSqlinjection(Name) values(@name) ", con))

        {

            cmd.CommandType = CommandType.Text;

            if (checkForSQLInjection(txtName.Text.Trim())) { lblMesg.Text = "Sql Injection Attack"; return; }

            checkForSQLInjection(txtName.Text.Trim());

            cmd.Parameters.AddWithValue("@name", txtName.Text.Trim());

            con.Close();

            con.Open();

            cmd.ExecuteNonQuery();

            con.Close();

            lblMesg.Text = "Data Saved succsessfuly";

        }

     }

     catch (Exception ex)

     { lblMesg.Text = ex.Message; }

}
Ebook Download
View all
Learn
View all
Get Started

You need to be a premium member to use this feature. To access it, you'll have to upgrade your membership.

Become a sharper developer and jumpstart your career.

Basic

$0

$

. 00

monthly

For Basic members:

  • Standard Profile
  • Access learning courses
  • Access free e-books
  • 1x point
Premium

$20

$

. 00

monthly

For Premium members:

  • Earn 2x reward points
  • Premium profile with Verified check
  • Premium Avatar with status update
  • Learning courses
  • Unlimited Certifications and badges on profile
  • Unlimited Book downloads
  • Access to Premium content
  • Online Training
  • Unlimited PDF conversions and downloads
  • Professional Resume Writing
  • Interview Preparations Guide
  • 25 messages per month
  • 1 "Kodzu" avatar, basic
Elite

$45

$

. 00

monthly

For Elite members:

  • Bundle E-books
  • Access to all Learn Series
  • Unlimited Apply Jobs