From the course: Security in ASP.NET Core

Unlock this course with a free trial

Join today to access over 24,800 courses taught by industry experts.

Fixing SQL injection

Fixing SQL injection - ASP.NET Tutorial

From the course: Security in ASP.NET Core

Start my 1-month free trial Buy for my team

Fixing SQL injection

- [Instructor] You may be shocked, (chuckles) but yes indeed, our h+ board application is vulnerable to SQL injection. However, I had to work really hard to actually add that vulnerability to the code. There are different ways of showcasing that. Let me show you something relatively subtle and for that, I first create a second order. So how about some mineral water to get hydrated and remain hydrated? Okay, $5 and 60 cents. Fair enough. I sent the order. The order number is nine. Now if you go to our secret AdminOrders page, which you've seen before, you'll see now that we have two orders. Let's open the first order I did. Order number eight, with a total amount of $90 and that eight, that value eight, that's part of the URL and is then processed by the action method. However, the processing turns out to be not really good. The AdminOrder action method expects a string as an argument, which is a bit weird, since our IDs are integers. And then there's some really creative code, I'm…

Contents