Username and password injected in my table

Question

I am new to asp.net development

I develop login form with username and password

I finished off with my work but any how my login table has injected with sort of script as

username

"> </title><script src="http://it

password

"> </title><script src="http://it

I have written simple query as

SELECT * FROM user WHERE userid = 'admin' AND password = 'ms2012'

I thought some body has injected in a username and password textbox

But I don't understand how they did. Can anybody explain how they have updated it and what should I do to avoid it?

Take a look at this post: http://stackoverflow.com/questions/601300/what-is-sql-injection - Basically you need to quote your input so the queries you write into your database are not being directly sourced from the user as to allow malicious behavior like what you have experienced. — TMan, Oct 08 '12 at 05:25
@TMan I wouldn't say *quoting* or *escaping* are recommended approaches. Parameterised queries are really the best method — Phil, Oct 08 '12 at 05:43
@Phil Great call, completely forgot about parameterized queries! — TMan, Oct 08 '12 at 05:58
yes i used sql parameterised query to avoid the sql injection and it works!! — Rakesh Sawant, Oct 08 '12 at 12:16

score 2 · Answer 1 · answered Nov 22 '12 at 09:30

2

There are 3 basic things to consider if you want to the application to be secured from SQL Injection:

answered Nov 22 '12 at 09:30

Anuj Sharma

1 Answers1