Home » SQL Server

Sql injection problem?

hi all,

i am using query like this

select count(*) from Users where username='"+userNameTextBox.Text.Replace("'","''")+"'

in the above simple query sql injection is possible or not (i.e., even after replacing the single quote with two single quotes), if possible how is it possible can any body explain me?

 and more over what is blind sql injection, can any body give example for that?


Burepalli V S Rao.


8 Answers Found


Answer 1

>>select count(*) from Users where username='"+userNameTextBox.Text.Replace("'","''")+"'

yes above query  is subjected to sql  injection, escaping a single  quote with two single quotes  only escape an apostrophe but does not prevent sql injection. Someone can pass  ;drop table TableName

as username as a  textbox values.

see more examples and way to prevent SQL injection  at


>>more over what is blind  sql injection, can any body  give example  for that?

see example and explanation at



Answer 2

no it is not possible , in the above query  if you pass ';drop table tablename' then the entire thing will be taken as string ,above query will become

select count(*) from Users where username=';drop table tablename'

then the above query will be executed without any problem.

so, if anybody knows please give  me some example  for that.


Burepalli V S Rao.


Answer 3

Burepalli V S Rao,

You have a valid point, I did tested it if you replace  single quote  with a double quote then indeed your code is harmless

if you **do not** then  it is subjected to SQL injection  shown below with an example

 in the example  you posted

if the actual textbox username entry is

' ; DROP DATABASE pubs  --

your query  will become

select count(*) from Users where username=''; DROP DATABASE pubs  --'

The; (semicolon) character tells SQL that this is the end of the current statement, which is then followed by the following malicious SQL code.


Finally, the -- (double dash) sequence of characters is a SQL comment that tells SQL to ignore the rest of the text. In this case, SQL ignores the closing ' (single quotation mark) character, which would otherwise cause a SQL parser error.

But if you escape single  quote with double quote then it will throw SQL parser error which will prevent malicious code to be executed.




Answer 4

that is wrong , the above one query  becomes

select count(*) from Users where username =''';DROP DATABASE pubs --';

so, this one will aslo be executed without having any problem

hai shah you are not getting me, see what i am doing is

i am taking the the value from the textbox what ever value i am getting from the textbox first i am replacing  single quote  with two quotes  (if text  contains the single  quote) on top of this text again i am keeping single quotes so, according to me it will work fine

any help please


Burepalli V S Rao.


Answer 5

I'm not going to argue whether it is possible to inject based on your replacement, I would just like to suggest that you adhere to best practice and use parameterized commands, where it is impossible to inject in the first place. That will also buy your huge advantages when it comes to execution plan handling, caching and re-use.

Answer 6

 i too agree with you. but my intention is even after replacing  sql  injection is possible or not  thats it i want to learn it how is it possible thats it nothing else. but what ever you said that is absolutely correct.

Answer 7

To be pefectly 'safe' of sql  injection use parameterized commands as Tibor pointed

Answer 8


Your method will stop anyone passing usning a ' to end a '' statememnt - as you have shown in the examples above.

The porblem will com eif a new developer makes changes to your code - or a new access pages is developed which dosen't you teh replace  method. This may be in two years time etc.

If you use parameterized stored procedures as your access method other developers can work away in saftey.




<< Previous      Next >>

Microsoft   |   Windows   |   Visual Studio   |   Sharepoint   |   Azure