Category: Database

SQL Injection-proof your integrated SQL search in ASP.NET 2.0

I had forgotten to add SQL Injection prevention logic when I integrated and implemented a SQL search function for my employer’s internal ASP.NET app.  So in this post, I’m adding it for archival and sharing purposes.

SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and execution.

BTW, here’s an excellent article about SQL Injection on the MSDN site. 

1. The first thing you’ll need to do is grab the user’s input from the search textbox; for example:

<font size="2"><span style="color: rgb(0,128,0)">// Get user search input
</span><span style="color: rgb(0,0,255)">string</span> requestString = txtSearch.Text.Trim(<span style="color: rgb(0,0,255)">null</span>);</font>

2. Next, you’ll need to add logic to see if the user input contains any of the following:

image

I added something like this:

<p><font size="2"><span style="color: rgb(0,0,255)">if</span> ((requestString.Contains(<span style="color: rgb(163,21,21)">";"</span>)) || (requestString.Contains(<span style="color: rgb(163,21,21)">"'"</span>)) ||
    (requestString.Contains(<span style="color: rgb(163,21,21)">"--"</span>)) || (requestString.Contains(<span style="color: rgb(163,21,21)">"/*"</span>)) ||
    (requestString.Contains(<span style="color: rgb(163,21,21)">"*/"</span>)) || (requestString.Contains(<span style="color: rgb(163,21,21)">"xp_"</span>)))
</span>{
    </font><font size="2"><span style="color: rgb(0,128,0)">// Stop processing and notify user
</span>}
</font><font size="2"><span style="color: rgb(0,0,255)">else
</span>{
    </font><font size="2"><span style="color: rgb(0,128,0)">// Continue processing and show results
</span>}</font></p>

3. Build/compile your app then test it out.  If all goes well, you should not get any errors and your web app’s search function should now be SQL Injection-proof.

Various SQL JOIN reference

One of the trickiest things about learning SQL is mastering how various JOIN statements differ in the ways they combine data from multiple data tables. There are three types of joins: inner, outer, and cross. In addition, there are three types of outer joins: left, right, and full. It can be frustrating trying to keep them differentiated, so here’s a quick guide. All of the following examples involve joining the authors and publishers tables in the Pubs sample database included with SQL Server.

Inner Joins

In an inner join, records from two tables are combined and added to a query’s results only if the values of the joined fields meet certain specified criteria. If you use an inner join to combine the authors and publishers tables based on their city and state columns, the result would be a list of all authors who live in the same city as a publisher:

image 

USE pubs
SELECT a.au_fname, a.au_lname, p.pub_name 
FROM authors AS a INNER JOIN publishers AS p
ON a.city = p.city
AND a.state = p.state
ORDER BY a.au_lname ASC, a.au_fname ASC

Outer Joins

An outer join returns all rows from the joined tables whether or not there’s a matching row between them. The ON clause supplements the data rather than filtering it. The three types of outer joins, left, right, and full, indicate the main data’s source.

Left Outer Joins

When you use a left outer join to combine two tables, all the rows from the left-hand table are included in the results. So, for the authors and publishers tables, the result will include a list of all authors along with a publisher’s name column. If a publisher exists in the author’s city, it’s listed. Otherwise, the field in the publisher’s column is set to NULL:

image 

USE pubs
SELECT a.au_fname, a.au_lname, p.pub_name
FROM authors a LEFT OUTER JOIN publishers p
ON a.city = p.city
ORDER BY p.pub_name ASC, a.au_lname ASC, a.au_fname ASC

Right Outer Joins

A right outer join is conceptually the same as a left outer join except that all the rows from the right-hand table are included in the results. They can be included more than once, if more than one author exists in the publisher’s city. If no author lives in the publisher’s city, the author name fields are set to NULL:

image 

USE pubs
SELECT a.au_fname, a.au_lname, p.pub_name
FROM authors AS a RIGHT OUTER JOIN publishers AS p
ON a.city = p.city
ORDER BY p.pub_name ASC, a.au_lname ASC, a.au_fname ASC

Full Outer Join

As you might have gathered, a full outer join retrieves all the rows from both joined tables. It returns all of the paired rows where the join condition is true, plus the unpaired rows from each table concatenated with NULL rows from the other table. You usually won’t want to use one of these.

Cross Join

A cross join returns not the sum but the product of two tables. Each row in the left-hand table is matched up with each row in the right-hand table. It’s the set of all possible row combinations, without any filtering, as shown here: 

USE pubs
SELECT au_fname, au_lname, pub_name
FROM authors CROSS JOIN publishers 
ORDER BY au_lname DESC

The resultset contains 184 rows (authors has 23 rows, and publishers has 8; therefore, 23 × 8 = 184). The first 11 rows look like this:

image

However, if you add a WHERE clause (like WHERE authors.city = publishers.city), a cross join functions as an inner join—it uses the condition to filter all possible row combinations down to the ones you want:

image 

USE pubs
SELECT au_fname, au_lname, pub_name
FROM authors CROSS JOIN publishers 
WHERE authors.city = publishers.city
ORDER BY au_lname DESC

Compiled from TechNet.

How to find the service pack version installed on SQL Server

Run and execute the following query; it doesn’t matter what database and/or table you’re in:

select @@VERSION

If executed successfully, you should get something like below, which shows that SP2 is installed.

Microsoft SQL Server 2005 – 9.00.3042.00 (Intel X86)   Feb  9 2007 22:47:07   Copyright (c) 1988-2005 Microsoft Corporation  Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)

Auto backup solution for your MySQL databases

I use MySQL as my database server, and thankfully, it’s been reliable and easy to use.  A qualm I have, however, is that it doesn’t include a daily backup feature, unlike Microsoft SQL Server.

The good thing is that the open source community has seen this problem and created a solution for it: AutoMySQLBackup.  (You can download it from here.)

According to the website on SourceForge.net:

A script to take daily, weekly and monthly backups of your MySQL databases using mysqldump. Features – Backup mutiple databases – Single backup file or to a seperate file for each DB – Compress backup files – Backup remote servers – E-mail logs – More..

Here are the quick-and-dirty set up steps (courtesy of debianhelp.co.uk):

1.  Download automysqlbackup.sh and place it into your /etc/cron.daily directory like so: cp /path-to-automysqlbackup/automysqlbackup.sh /etc/cron.daily/.

2.  Edit (at least) the following lines via vim automysqlbackup.sh:
USERNAME=dbuser
PASSWORD=password
DBNAMES=”DB1 DB2 DB3″

3.  Make the file executable by typing: chmod u+rwx automysqlbackup.sh.

4.  Create the following directory by typing: mkdir ./backups.

5.  That’s it!  You can either run the script via the command line: ./automysqlbackup.sh, or let it run its course since we’ve now put it in /etc/cron.daily; make sure the cron service is running, though.  ;0)

Peace. \m/