Kaspersky Web Site Hacked With SQL Injection
The hacker, known as Unu, hacked Kaspersky web site on Feb. 7, 2009 via a simple SQL injection attack. more ...
As I know that site was built using php & mysql.
In ASP.Net, such SQL injection attack can avoid if we follow standard guidelines. As a developer keep followings in mind.
- Always, don’t believe in what user has input.
- If executes SQL command from a page, don’t use concatenated SQL commands. Always use respective DbParameter class to build a command string.
Following example using SQLParamerter.
“SELECT cusid,cusname FROM customer WHERE cusid= “ + userinput “
“SELECT cusid,cusname FROM customer WHERE cusid= @userinput “
- In the production version of your web application, turn off tracing and avoid
<customErrors mode="Off"/>setting in web.config.
- Don’t give error messages that intruder can guess information about your database.