Data Handling with a Shopping Cart/PayPal System - A further note on security

(Page 3 of 4 )

Any point within your system where a user has the opportunity to enter data should be strictly checked to ensure that they have not entered anything that could be used for an unintended purpose.  A common problem is SQL injection.  This is where somebody enters SQL code into an area of a site which then gets used inside the original SQL statement you intended to use. So say for the quantity field you had:

  "UPDATE tbl_basket SET quantity = " + quantity.Text + " WHERE user_id = " + user_id;

If the customer entered 6 into the "quantity" text box and their login id was 230 then the above would look like:

  UPDATE tbl_basket SET quantity = 6 WHERE user_id = 230;

If instead the customer entered:

  " 1 WHERE 1 = 1; DROP tbl_users; --"

then the original statement would now look like:

  UPDATE tbl_basket SET quantity = 1 WHERE 1 = 1; DROP tbl_users; -- WHERE user_id =;

so they complete the original statement with "1 WHERE 1 = 1;" and then proceeded to "Drop tbl_users;" which wouldn't be good.  Finally they commented out the remainder of the original statement.  This was just an extremely simple example.  Use your favorite search engine and look up "SQL Injection" and "String Sanitization" to learn more about methods to defend your sites.

Next: Payment >>
 

More C# Articles
More By Tann San

Comments On: Data Handling with a Shopping Cart/PayPal System

· I'm open to...    · hey, nice work i must say!My problem is that even though i am directed to a page...    · are both the pages on the same server and under the same domain name? if their not...    · I can't run this proj plz tell me   >>> Post your comment now!