Menu
I am a new ASP.NET developer and I am developing a web-based application in which there is a menu bar that has many options. Some of these options will be displayed only to the Admin. There is a logic behind the system to check whether the user is an admin or not. If yes, the options will be displayed. I wrote the method but I have a sql injectiom and I want to remove it.
For your information, I have the following database design:
NetID, Name, Title
ID, NetID
Here's the C# method:
private bool isAdmin(string username)
{
string connString = "Data Source=appSever\\sqlexpress;Initial Catalog=TestDB;Integrated Security=True";
string cmdText = "SELECT ID, NetID FROM dbo.Admins WHERE NetID = '" + NetID + "')";
using (SqlConnection conn = new SqlConnection(connString))
{
conn.Open();
// Open DB connection.
using (SqlCommand cmd = new SqlCommand(cmdText, conn))
{
SqlDataReader reader = cmd.ExecuteReader();
if (reader != null)
if (reader.Read())
if (reader["ID"].Equals(1))
return true;
return false;
}
}
}
I tried to change it by doing the changing the third line to:
string cmdText = "SELECT ID, NetID FROM dbo.Admins WHERE NetID = @NetID)";
But I got the following error and I don't know why:
Must declare the scalar variable "@NetID".
Could you please help me in solving this?
**UPDATE:
After updating the code to the following:
private bool isAdmin(string username)
{
string NetID = username;
string connString = "Data Source=appServer\\sqlexpress;Initial Catalog=TestDB;Integrated Security=True";
string cmdText = "SELECT ID, NetID FROM dbo.Admins WHERE NetID = @NetID";
using (SqlConnection conn = new SqlConnection(connString))
{
conn.Open();
// Open DB connection.
using (SqlCommand cmd = new SqlCommand(cmdText, conn))
{
cmd.Parameters.AddWithValue("@NetID", NetID);
SqlDataReader reader = cmd.ExecuteReader();
if (reader != null)
if (reader.Read())
if (reader["NetID"] == username)
return true;
return false;
}
}
}
I got the following error:
Incorrect syntax near ')'.
How to fix this problem?
720
How to Prevent an SQL Injection. The only sure way to prevent SQL Injection attacks is input validation and parametrized queries including prepared statements. The application code should never use the input directly. The developer must sanitize all input, not only web form inputs such as login forms.
You should always use parameterized statements where available, they are your number one protection against SQL injection. You can see more examples of parameterized statements in various languages in the code samples below.
SQL Injection occurs when a web application allows for malicious Structured Query Language (SQL) commands. Not only is it possible for these attacks to destroy data, but it also allows for a malicious attacker to exfiltrate data through those SQL commands.
You need to pass a value for your @NetID parameter:
cmd.Parameters.AddWithValue("@NetID", NetID);
Try this
private bool isAdmin(string username)
{
string connString = "Data Source=appSever\\sqlexpress;Initial Catalog=TestDB;Integrated Security=True";
string cmdText = "SELECT ID, NetID FROM dbo.Admins WHERE NetID = @NetID)";
using (SqlConnection conn = new SqlConnection(connString))
{
conn.Open();
// Open DB connection.
using (SqlCommand cmd = new SqlCommand(cmdText, conn))
{
cmd.Parameters.AddWithValue("@NetID", NetID);
SqlDataReader reader = cmd.ExecuteReader();
if (reader != null)
if (reader.Read())
if (reader["ID"].Equals(1))
return true;
return false;
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
