Feb 11, 2009

Kaspersky Web Site Hacked With SQL Injection

The hacker, known as Unu, hacked Kaspersky web site on Feb. 7, 2009  via a simple SQL injection attack. more ...

As I know that site was built using php & mysql.

In ASP.Net, such SQL injection attack can avoid if we follow standard guidelines. As a developer keep followings in mind.

  1. Always, don’t believe in what user has input.
  2. If executes SQL command from a page, don’t use concatenated SQL commands. Always use respective DbParameter class to build a command string.
    Following example using  SQLParamerter.
    Incorrect
    “SELECT cusid,cusname  FROM customer WHERE cusid= “ + userinput “
    Correct
    “SELECT cusid,cusname  FROM customer WHERE cusid= @userinput “
  3. In the production version of your web application, turn off tracing and avoid <customErrors mode="Off"/> setting in web.config.
  4. Don’t give error messages that intruder can guess information about your database.
at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

MEC: How to Set Message Counter for EDI Message

When you sending/creating EDI messages it is necessary to include unique message interchange number. This is to ensure each message that we ...