What's new
Symbianize Forum

Most of our features and services are available only to members, so we encourage you to login or register a new account. Registration is free, fast and simple. You only need to provide a valid email. Being a member you'll gain access to all member forums and features, post a message to ask question or provide answer, and share or find resources related to mobile phones, tablets, computers, game consoles, and multimedia.

All that and more, so what are you waiting for, click the register button and join us now! Ito ang website na ginawa ng pinoy para sa pinoy!

JhonelPaulo18[GUIDES]: C# ASP.NET LOGIN PAGE ANTI-SQL INJECTION CODE

J

jhonelpaulo18

Novice
Advanced Member
Messages
24
Reaction score
0
Points
26
Hello Guys, JhonelPaulo here, gusto ko lang kayo iguide kung papaano ang tamang pagreread ng SQL (designed for login pages) para di ma SQL INJECTION Attack ang inyong login page. para to sa mga gumagawa ng web application na may username & password..

So ano, game !

Kadalasan, lalo na yung mga nagsisimula pa lang na programmer ganto sila mag query sa sql...

NOTE: This is C# Code:

Code: 
// ----------------------------------------------------------------------------------------------------------------------
// DITO NATIN ISESET ANG MGA VARIABLES NG SQL KONEKSYON NATIN
// ITO ANG KADALASANG GINAGAWA NG ATING MGA PROGRAMMER AND THIS IS WRONG :(
// AND VERY UNSECURED VULNERABLE SIYA SA SQL ATTACK !
// ----------------------------------------------------------------------------------------------------------------------

SqlConnection sqlkoneksyon =  new SqlConnection(ConfigurationManager.ConnectionStrings["databaseconnectionname"].ToString());

// SA NAKIKITA NIYO, NAPAKADALING PASUKAN TO NG HACK KASI AS YOU CAN SEE textBox1.Text variable depends on the user input.
// KUNG EXPERT KA NA SA CODING, ANG MGA CHARACTERS NA SEMICOLON, QUOTES ETC. AY VULNERABLE SA SQL INJECTION ATTACK..
// TRY IT YOURSELF. SA LOGIN PAGE NIYO TYPE NIYO SA USERNAME AND PASSWORD: [B]'OR''='[/B] LOGIN KAYO JAN PROMISE PAG
// GANTO ANG FORMAT NG CODE NIYO....

SqlCommand  sqltakbo = new SqlCommand("SELECT * FROM Tauhan WHERE Pangalan = '" + textBox1.Text + "'", sqlkoneksyon);
sqlkoneksyon.Open();
SqlDataReader sqlbasa= sqltakbo.ExecuteReader();

// -------------------------------------------------------------------------------------------
// OK ORAS NA PARA IEXECUTE ANG ATING SQL QUERY PARA BASAHIN
// ANG ATING DATA
// -------------------------------------------------------------------------------------------

while (sqlbasa.Read()) {

// * GAWIN NIYO NA ANG GUSTO NIYO DITO.
// * PARA SA DI NAKAKAALAM NG FORMAT PARA MAREAD ANG TABLE:

string sqldata = sqlbasa["PANGALAN NG COLUMN"].ToString();

}

// -------------------------------------------------------------------------------------------
// -------------------------------------------------------------------------------------------

sa napapansin niyo vulnerable sa SQL ATTACK ang ating query.. bakit ?

LETS START INVESTIGATING

pagpahalimbawa ang tinype ng ating magaling na hacker sa textbox ay ito:
'OR''=' nasa textBox1 ID siya nakalagay. to get the text we will use TextBox1.Text.

AND THE QUERY STRING OVER HERE:
SqlCommand sqltakbo = new SqlCommand("SELECT * FROM Tauhan WHERE Pangalan = '" + textBox1.Text + "'", sqlkoneksyon);

LETS MAKE IT SIMPLE:
dito na lang tayo sa query.. para malaman niyo kung anong magiging resulta ng sql query natin:

"SELECT * FROM Tauhan WHERE Pangalan = '" + textBox1.Text + "'"

OK, HERE WE GO LET'S REPLACE textBox1.Text with our hackers input..

"SELECT * FROM Tauhan WHERE Pangalan = '" + 'OR''=' + "'"

and the result of the query:

------------------ SELECT * FROM Tauhan WHERE Pangalan =''OR'='' ---------------------------------

O.O wow.. mukang patay tayo jan.. iniescape natin ung '(single quote) para masingitan si command ng panibagong command..

to make this more understanding, parang tyeke (check) lang..

PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred

vulnerable si amount ... bakit ? kasi ung Php.200 pwede maging 200,000 lagyan natin ng thousand Pesos...

PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred Thousand Pesos

see ? punta ka sa bank at iencash mo ung check and voila instant money :)

so how to prevent this vulnerability ? add the "PESOS ONLY" result:

PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred Pesos Only

equals 100% PRANK/HACK PROOF !..

di na magwowork ang paglalagay ng Thousand sa huli.. common programmer logic :)

PAY TO THE ORDER OF: Jhonel Paulo Andrada
AMOUNT: Two Hundred Pesos Only Thousand Pesos Only

====== WILL NOT DAMN WORK YARI KA SA TELLER NIYAN PAG GINAWA MO YAN ===

so ang pinakaabangan ng lahat ang update ko.. ito na po: the best solution jan is called:

" SQL PARAMETERIZED QUERY "...

here's the code from my friend (renz) open source software project Construction Management Software.. Coded in C# Hosted as ASP.NET..

Code: 
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Services;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Collections.Specialized;
using System.Text;
using System.Data.Sql;
using System.Data.SqlClient;
using System.Configuration;
using System.Data;
using System.Net.Mail;

namespace CMS
{
    public partial class cmslogin : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
        }

        public void Login_Action(object sender, EventArgs e)
        {
            string readuser = null;
            string readpass = null;
            string user = txtuser.Value;
            string pass = txtpass.Value;
            string hash = Functions.SHA1HashStringForUTF8String(pass);
            if (user == "" || pass == "")
            {
                passerror.Attributes["style"] = "visibility:visible";
                passerror.InnerHtml = "<p style=\"font-size:14px;margin-left:8px;margin-right:8px\">Username and Password Fields cannot be blank.</p>";
            }
            else
            {
                var connect = ConfigurationManager.ConnectionStrings["cms_7930"].ToString();
                var query = "SELECT * FROM Users WHERE Username = @Username COLLATE SQL_Latin1_General_CP1_CS_AS";
                using (var conn = new SqlConnection(connect))
                {
                    using (var cmd = new SqlCommand(query, conn))
                    {
                        cmd.Parameters.Add("@Username", SqlDbType.NVarChar);
                        cmd.Parameters["@Username"].Value = Convert.ToString(user);
                        conn.Open();
                        //Process results
                        SqlDataReader sqreader = cmd.ExecuteReader();
                        while (sqreader.Read())
                        {
                            readuser = sqreader["Username"].ToString();
                            readpass = sqreader["PasswordHash"].ToString();
                        }


                    }
                }

                if (readuser == null)
                {
                    passerror.Attributes["style"] = "visibility:visible";
                    passerror.InnerHtml = "<p style=\"font-size:14px;margin-left:8px;margin-right:8px\">Sorry, you entered an invalid username.</p>";
                }
                else
                {
                    if (hash == readpass)
                    {
                        Session["AuthenticatedUser"] = user;
                        hdn.Value = "0";
                        if (Request.QueryString["redirect"] == null) { Response.Redirect("index.aspx"); }
                        else { Response.Redirect(Request.QueryString["redirect"]); }
                    }
                    else
                    {
                        passerror.Attributes["style"] = "visibility:visible";
                        passerror.InnerHtml = "<p style=\"font-size:14px;margin-left:8px;margin-right:8px\">Password entered for user '" + user + "' is incorrect.</p>";
                        hdn.Value = "" + (Convert.ToInt32(hdn.Value) + 1);
                        if (Convert.ToInt32(hdn.Value) >= 10)
                        {
                            var msgrsl = Functions.itexmo("09061067930", "User \"" + user + "\" has attempted to login with more than 10 incorrect passwords. Client's IP Address: " + Request.UserHostAddress + "\r\n\r\nAuto SMS by CMS. do not reply.", "API_CODE_CENSORED");
                            passerror.Attributes["style"] = "visibility:visible";
                            passerror.InnerHtml = "<p style=\"font-size:14px;margin-left:8px;margin-right:8px\">You tried to many attempts. Admin will be warned with IP: " + Request.UserHostAddress + " via SMS & Email. SMS Result Code: " + msgrsl.ToString() + "</p>";

                        }
                    }
                }
            }
        }
                

        public void ShowAlert(string s)
        {
            ScriptManager.RegisterClientScriptBlock(this, this.GetType(), "alertMessage", "alert('" + s + "')", true);
        }

    }
}

it's so hard to explain guys later ule :).. kayo na muna bahala magunderstand kung ano pinagkaiba nung dalwa ha tulog na muna uli ako tommorow na lang ule :)
 
Last edited:
Nasan yung log-in page?:noidea:

parang ADO.NET lang yata nakikita ko dito..

kulang yata yung guide mo ts post mo yung Parameterized Query (Anti-Sql Injection)
 
rhon6260 said:
Nasan yung log-in page?:noidea:

parang ADO.NET lang yata nakikita ko dito..

kulang yata yung guide mo ts post mo yung Parameterized Query (Anti-Sql Injection)
Click to expand...

ayan na sir, bukas ko na ieexplain ung code ha.. antok na ko eh :) whaha.
 
You must log in or register to reply here.

Similar threads

L
BASICS: CRUD [Create/Retrieve/Update/Delete] - C# and MS SQL Server
2
Replies
23
Views
3K
adios107
adios107
Back
Top Bottom