This ASP.NET MVC 5 application demostrates the SQL injection vunlerability in the cases where database is accessed through direct ADO.NET and Entity Framework as well. The demo was designed to support my presentation on SQL injection at Industry Connect in May 2017.
- Setup your SQL Server, create a database named 'SQLInjectionDemo', and run the script in
./DB/Setup.sqlfile to create the table and demo data. - Update your db info in the connection string in
Web.config, and the string variable inHomeController.cs, as shown below.
<connectionStrings>
<add name="SQLInjectionDemoEntities" connectionString="metadata=res://*/Models.SQLInjection.csdl|res://*/Models.SQLInjection.ssdl|res://*/Models.SQLInjection.msl;provider=System.Data.SqlClient;provider connection string='data source=<your sql server instance name>;initial catalog=SQLInjectionDemo;user id=<your user id>;password="<your password>";MultipleActiveResultSets=True;App=EntityFramework'" providerName="System.Data.EntityClient" />
</connectionStrings>string dbConnStr = "Data Source=<your sql server instance name>; Initial Catalog=SQLInjectionDemo;User ID=<your user id>;Password=<your password>";Note: if you give your database other name than 'SQLInjectionDemo', you need to update it in the strings shown above.