Monday 27 June 2016

SQL injection for the following regular expression



I am looking for backdoors in various softwares and wondering if the following code is vulnerable to a sql injection.



There's an email field with the following validation expression. (ASPX/CS)



ValidationExpression="\w+([-+.']\w+)*@\w+([-.]\w+)*\.\w+([-.]\w+)*">



Is it possible to exploit the above to drop a table for example or do anything malicious using a SQL injection?



Thanks
Regards



EDIT 1: People have asked me how this was implemented —



SqlConnection conn = new SqlConnection(snpConnectionString);

SqlCommand command = conn.CreateCommand();
conn.Open();
command.CommandText = "INSERT INTO TABLE_ VALUES ('" + TextBoxFN.Text + "','" + TextBoxLN.Text + "','" + sb1.ToString() + "','" + TextBoxEA.Text + "','" + sb.ToString() + "',0,'" + DateTime.Now + "')";
try{
    SqlDataReader reader = command.ExecuteReader();
}
catch
{
    Response.Redirect("Error.aspx", true);
}



TextBoxEA.text corresponds to the email address.


Answer



Regular expression validation is great for the UI or business layer to check user input to prevent errors.



It is less great for preventing SQL injection.



If the code does not use parameterized queries, it is vulnerable either now, or later after someone makes a minor error updating the regular expression to conform to a new business requirement.


-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

c++ - Does curly brackets matter for empty constructor?

Those brackets declare an empty, inline constructor. In that case, with them, the constructor does exist, it merely does nothing more than t...