Description:
Web sites initially started to show static information to the user on plain HTML pages with some graphics and colorful text. But with the growing pace of the IT, web sites not only dispaly dyanamic data but also capable of taking the orders from the customers and process them online.
This whole process is possible due to the input given by the end user (visitor) was processed by the back end SQL engine to perform CRUD operations on the database (CRUD – Create, Read, Update, and Delete).
But sometimes, using the CRUD operation against the database in a way that it no more fulfills the desired results but give the attacker an opportunity to run his own SQL command against the database that using the front end of your web site or through the QueryStrings values, which is known as “SQL Injection”.
Further Details :
So there are different way to handle “SQL Injection” but here I am explaining you a how to handle SQL Injection attack at all the incoming Query Strings.
For this you can create a method like CheckSqlInjection() which will screen all the query strings value before these are passed into database query.
Here is the method defination:
protected static bool CheckSqlInjection(string userValue)
{
// Throw an exception if a blacklisted word is detected.
String[] blackList = {
"alter",
"begin",
"cast",
"create",
"cursor",
"declare",
"delete",
"drop",
"exec",
"execute",
"fetch",
"insert",
"kill",
"open",
"select",
"sys",
"sysobjects",
"syscolumns",
"table",
"update",
"