This post originated from an RSS feed registered with .NET Buzz by Peter van Ooijen. Original Post: sqlInjection attack on a LIKE query Feed Title: Peter's Gekko Feed URL: /error.htm?aspxerrorpath=/blogs/peter.van.ooijen/rss.aspx Feed Description: My weblog cotains tips tricks and opinions on ASP.NET, tablet PC's and tech in general. Latest .NET Buzz Posts Latest .NET Buzz Posts by Peter van Ooijen Latest Posts From Peter's Gekko

If SQL had known attributes I should have decorated my Like query with [AirCode]. Several comments questioned wheter and how it was vulnerable to a sql-injection attack. Well, the aircode version is. The original is harder to break.

The vulnerable one :

orgSql = "SELECT id, Info FROM Table1";
sqlDataAdapterBuildSql.SelectCommand.CommandText = orgSql + (" WHERE Info LIKE '" + textBoxInput.Text + "%'");

Guess what happens when the user types this in the textbox

e'  drop table table2 --

Yes, table2 is gone. Provided your app has adminstrator rights on the database. A lot off apps do.

The other one, as seen in "Writing Secure Code":

sqlDataAdapterUseParameter.SelectCommand = "SELECT id, Info FROM Table1 WHERE (Info LIKE @param1)"
sqlDataAdapterUseParameter.SelectCommand.Parameters["@Param1"].Value = string.Format("{0}%", textBoxInput.Text);

When the malicious user now tries to inject sql via the textbox the only result will be that the database is queried for e'  drop table table2 -- A large resultset is not that likely .