It’s a technique which is used to attack a software, be it a desktop application or a website as long as it uses a database server behind it. It is done by inputting a malicious input in attempt to get a dangerous query to run.
select * from Products where ProductName = 'Car'
This will get all products where the product name is Car
Imagine the Car value is retrieved from an input text on a form somewhere, what would happen if we input something like this.
select * from Products where ProductName = ''; delete from Products –''
This query will delete –assuming the running user has access- all data from our products table. which is clearly not good.
Issues like this are commonly happens on code that concatenates string to form query
What should we do ?
- Do not concatenates string to form a query
- Use a parameterized query to execute query, ORM tools such as EF uses parameterized query
- Turn on custom error page on production to avoid giving crucial information to malicious users
- Give the running user appropriate permissions, do not give access to modify table or creating new record in table if you only want a read only operation