Let's take a vulnerable code example from Hacme Books.
String query = "select * from products where " + “lower(title) like '%" + keyword.toLowerCase() + "%‘”;
As seen keyword is passed to the interpreter without validation or encoding.
For SQL Injection protection, the secure version with Prepared Statement as shown below can be used.
PreparedStatement query = con.prepareStatement( “select * from products where lower(title) like ?");
query.setString(1, keyword);
updateSales.executeUpdate():
ASP.Net
A vulnerable code example from Hacme Bank looks like this.
string sqlQuery = "select user_id from fsb_users where login_id = '" + loginID+ "' and password = '" + password + "'";
Here the loginID and password are passed to the MS SQL server without validation or encoding .
Using a secure replacement with SQLParameters as below this attack can be mitigated.
string sqlQuery = "select user_id from fsb_users where login_id = @loginID and password = @password";
//Assuming you have defined a command called 'cmd'
cmd.Parameters.Add(New SQLParameter("@loginID", loginID))
cmd.Parameters.Add(New SQLParameter("@password", password))
Posts
⭐ Online Business Analyst Course
ReplyDeleteAn industry-focused online business analyst course gives complete knowledge of BA concepts.
You start with fundamentals and move to advanced techniques.
Real-time case studies enhance practical understanding.
Interactive sessions help clarify doubts instantly.
Assignments strengthen analytical thinking skills.
Recorded classes allow easy revision anytime.
This training helps you confidently step into the BA domain.
Excellent insights! Our devops with aws course
ReplyDeletehelps you master pipelines, cloud infrastructure, and automation for career growth.