Kaspersky Web Site Hacked With SQL Injection

The hacker, known as Unu, hacked Kaspersky web site on Feb. 7, 2009  via a simple SQL injection attack. more ...

As I know that site was built using php & mysql.

In ASP.Net, such SQL injection attack can avoid if we follow standard guidelines. As a developer keep followings in mind.

  1. Always, don’t believe in what user has input.
  2. If executes SQL command from a page, don’t use concatenated SQL commands. Always use respective DbParameter class to build a command string.
    Following example using  SQLParamerter.
    Incorrect
    “SELECT cusid,cusname  FROM customer WHERE cusid= “ + userinput “
    Correct
    “SELECT cusid,cusname  FROM customer WHERE cusid= @userinput “

  3. In the production version of your web application, turn off tracing and avoid <customErrors mode="Off"/> setting in web.config.
  4. Don’t give error messages that intruder can guess information about your database.

Comments

Popular posts from this blog

IIS 7.5: 401 Unauthorized Access Error (Keep prompting Username/password)

Calculating Elapsed Time Accurately (C#)

Connecting DB2/iSeries From .net Application