SQL Injection on Views -


we using 3-tier architecture in asp.net.

there 3 layers

  1. presentation
  2. business
  3. data access

the data access layer contains getdata , executequery etc function. want know that, want call view directly presentation layer. there chance of sql injection in calling view front-end without using stored procedure?

presentation layer (c#)

protected void btnview_click(object sender, eventargs e)         {             dl obj = new dl();             datatable tb = new datatable();             string query = "select * viewteacher fid = " + txtname.text;              tb = obj.getdata(query);          } 

dbaccess

public datatable getdata(string query)         {             datatable datatable = new datatable();             sqlcommand cmd = new sqlcommand();             cmd.connection = con;             cmd.commandtext = query;              try             {                 if (cmd.connection.state != connectionstate.open)                 {                     cmd.connection.open();                 }                 using (sqldataadapter da = new sqldataadapter(cmd))                 {                     da.fill(datatable);                 }             }             catch (exception ex)             {                  throw new argumentexception(ex.message);             }             return datatable;         } 

how "calling view"? if you're running ad-hoc query of:

select <columns> view columnx = 'y' 

and if query being constructed using (potentially) hostile input yes, of course can subject sql injection - whole point of injection attacker can change nature of query:

select <columns> view columnx = 'z' union select name,0,0,0,0 information_schema.tables --' 

the attacker isn't limited objects present in original query.


the untrustworthy input in 2 above queries was:

y 

and

z' union select name,0,0,0,0 information_schema.tables -- 

Comments

Popular posts from this blog

java - UnknownEntityTypeException: Unable to locate persister (Hibernate 5.0) -

python - ValueError: empty vocabulary; perhaps the documents only contain stop words -

ubuntu - collect2: fatal error: ld terminated with signal 9 [Killed] -