Feb 11, 2009

Kaspersky Web Site Hacked With SQL Injection

The hacker, known as Unu, hacked Kaspersky web site on Feb. 7, 2009  via a simple SQL injection attack. more ...

As I know that site was built using php & mysql.

In ASP.Net, such SQL injection attack can avoid if we follow standard guidelines. As a developer keep followings in mind.

  1. Always, don’t believe in what user has input.
  2. If executes SQL command from a page, don’t use concatenated SQL commands. Always use respective DbParameter class to build a command string.
    Following example using  SQLParamerter.
    Incorrect
    “SELECT cusid,cusname  FROM customer WHERE cusid= “ + userinput “
    Correct
    “SELECT cusid,cusname  FROM customer WHERE cusid= @userinput “

  3. In the production version of your web application, turn off tracing and avoid <customErrors mode="Off"/> setting in web.config.
  4. Don’t give error messages that intruder can guess information about your database.

No comments: