Answer 1

>>select count(*) from Users where username='"+userNameTextBox.Text.Replace("'","''")+"'

yes above query  is subjected to sql  injection, escaping a single  quote with two single quotes  only escape an apostrophe but does not prevent sql injection. Someone can pass  ;drop table TableName

as username as a  textbox values.

see more examples and way to prevent SQL injection  at

http://pratchev.blogspot.com/2009/03/sql-injection.html

>>more over what is blind  sql injection, can any body  give example  for that?

see example and explanation at

http://en.wikipedia.org/wiki/SQL_injection#Blind_SQL_injection

Answer 2

no it is not possible , in the above query  if you pass ';drop table tablename' then the entire thing will be taken as string ,above query will become

select count(*) from Users where username=';drop table tablename'

then the above query will be executed without any problem.

so, if anybody knows please give  me some example  for that.

thanks,

Burepalli V S Rao.

Answer 3

Burepalli V S Rao,

You have a valid point, I did tested it if you replace  single quote  with a double quote then indeed your code is harmless

if you **do not** then  it is subjected to SQL injection  shown below with an example

 in the example  you posted

if the actual textbox username entry is

' ; DROP DATABASE pubs  --

your query  will become

select count(*) from Users where username=''; DROP DATABASE pubs  --'

The; (semicolon) character tells SQL that this is the end of the current statement, which is then followed by the following malicious SQL code.

; DROP DATABASE pubs

Finally, the -- (double dash) sequence of characters is a SQL comment that tells SQL to ignore the rest of the text. In this case, SQL ignores the closing ' (single quotation mark) character, which would otherwise cause a SQL parser error.

But if you escape single  quote with double quote then it will throw SQL parser error which will prevent malicious code to be executed.

Answer 4

that is wrong , the above one query  becomes

select count(*) from Users where username =''';DROP DATABASE pubs --';

hai shah you are not getting me, see what i am doing is

i am taking the the value from the textbox what ever value i am getting from the textbox first i am replacing  single quote  with two quotes  (if text  contains the single  quote) on top of this text again i am keeping single quotes so, according to me it will work fine

any help please

Thanks,

Burepalli V S Rao.

Answer 5

Answer 6

Answer 7

Answer 8

Burepalli,

Your method will stop anyone passing usning a ' to end a '' statememnt - as you have shown in the examples above.

The porblem will com eif a new developer makes changes to your code - or a new access pages is developed which dosen't you teh replace  method. This may be in two years time etc.

If you use parameterized stored procedures as your access method other developers can work away in saftey.

Seth