Pages

Blind SQL Injection

SQL Injection can be avoided using HTML encoding. Please find the list of characters which needs to be handled which getting user inputs especially in multi-line text boxes.

[1] | (pipe sign)
[2] & (ampersand sign)
[3] ; (semicolon sign)
[4] $ (dollar sign)
[5] % (percent sign)
[6] @ (at sign)
[7] ' (single apostrophe)
[8] " (quotation mark)
[9] \' (backslash-escaped apostrophe)
[10] \" (backslash-escaped quotation mark)
[11] <> (triangular parenthesis)
[12] () (parenthesis)
[13] + (plus sign)
[14] CR (Carriage return, ASCII 0x0d)
[15] LF (Line feed, ASCII 0x0a)
[16] , (comma sign)
[17] \ (backslash)

Their is always a chance of manupulating the SQL script as part of form inputs and also end user can prepare a request dynamically and hit the target url's. If we use the HTML encode and decode this can be avoided.

Example:

While getting the input values from the form and before processing that. 
string data = HTTPUtility.HTMLEncode(Textbox1.Text)
While rendering the data to UI 
Textbox1.Text = HTTPUtility.HTMLDecode(data)
This is simple and one of the best practice to avoid SQL injection.




No comments:

Post a Comment