What is SQL Injection?
SQL injection is a code injection technique which is used to attack data-driven applications in which malicious SQL statements are inserted into an entry field for execution.
This VB.Net tutorial will guide you through the use of parameterized SQL queries and demonstrate how they can be used to prevent SQL injection attacks by your application users.
Also Read: How to Create a Keylogger in VB.Net?
Now the question comes in our mind that what is parameterized SQL queries? We will later on discuss about it in this tutorial.
Lets take a small example. As you know to insert some records in database we use the following query:
Insert into Table_Name Values(‘” & textbox1.text & “‘,'” & textbox2.text & “‘,'” & textbox3.text & “‘)
Now the problem in above code is that users can modify our query at runtime using SQL injection.
SQL Injection Attack Example
Lets take an example of a small SQL injection attack. Just forget the above query and assume that the query is:
Select * from Table_Name Where Username='” & TextBox1.Text & “‘
Now if the user inputs x’ OR ‘x=x’ in TextBox1 then he can make the above query return true value and the result would be displaying all records starting with letter x.
How to Prevent SQL Injection Attacks
In order to avoid above problem we use parameterized SQL queries. Now lets take an example of parameterized query. Its very simple, we just need to add parameters instead of values.
Insert into Table_Name Values(@username,@password)
Note that parameters always starts with @ symbol. Now we need to assign values to these parameters in the following way.
Syntax: SQLCommand.AddParam(“ParameterName”, value)
Using this method we can easily avoid SQL injections attacks. Below video contains a detailed guide about how to prevent SQL injection attacks.