SQL Injection on Views -
we using 3-tier architecture in asp.net.
there 3 layers
- presentation
- business
- data access
the data access layer contains getdata , executequery etc function. want know that, want call view directly presentation layer. there chance of sql injection in calling view front-end without using stored procedure?
presentation layer (c#)
protected void btnview_click(object sender, eventargs e) { dl obj = new dl(); datatable tb = new datatable(); string query = "select * viewteacher fid = " + txtname.text; tb = obj.getdata(query); }
dbaccess
public datatable getdata(string query) { datatable datatable = new datatable(); sqlcommand cmd = new sqlcommand(); cmd.connection = con; cmd.commandtext = query; try { if (cmd.connection.state != connectionstate.open) { cmd.connection.open(); } using (sqldataadapter da = new sqldataadapter(cmd)) { da.fill(datatable); } } catch (exception ex) { throw new argumentexception(ex.message); } return datatable; }
how "calling view"? if you're running ad-hoc query of:
select <columns> view columnx = 'y'
and if query being constructed using (potentially) hostile input yes, of course can subject sql injection - whole point of injection attacker can change nature of query:
select <columns> view columnx = 'z' union select name,0,0,0,0 information_schema.tables --'
the attacker isn't limited objects present in original query.
the untrustworthy input in 2 above queries was:
y
and
z' union select name,0,0,0,0 information_schema.tables --
Comments
Post a Comment