Reply to topic
sql injection
joe


Joined: 14 Dec 2004
Posts: 4
Location: Newark, Delaware
Post Posted: Fri Jan 28, 2005 3:55 am Reply with quote
One thing I've noticed is nobody seems to pay attention to SQL injection. This is a serious problem that occurs when you use forms and don't run sanity checks on the users input. This could leave your customer database in the wrong hands! A simple test you could run would be to try inputting the character ' in to your form that's processed by asp. You can do this in a login field, or in a variable that's actually in the url like http://www.domain.com/test.asp?id=12'. If you receive an error message back from the sql server, you are most likely vulnerable. Take a look at this link http://www.sitepoint.com/article/sql-injection-attacks-safe.
Josh
Forum Regular

Joined: 01 Apr 2004
Posts: 1029
Location: Felton, Delaware
Post Posted: Fri Jan 28, 2005 4:22 am Reply with quote
Yes... and in ASP.NET theres a very easy way to get around that... Use Parameterized Queries/Updates.

Code:

dim strSQL as string = "SELECT Field1, Field2 FROM Table1 WHERE FieldID=@FieldID"
dim C as New SQLCommand(strSQL, Conn)
With C.Parameters
  .Add(New SQLParameter("@FieldID", Request.QueryString("FieldID")))
End With
dim DR as SQLDataReader
Conn.Open()
Try
  DR = C.ExecuteReader()
  If DR.Read Then
    'Do Stuff
  End If
  DR.Close
Catch Exc as Exception
  'Error Handling
End Try
Conn.Close()


or...

Code:

dim strSQL as string = "UPDATE Table1 SET Field1=@Field1, Field2=@Field2 WHERE FieldID=@FieldID"
dim C as New SQLCommand(strSQL, Conn)
With C.Parameters
  .Add(New SQLParameter("@Field1", txtField1.Text))
  .Add(New SQLParameter("@Field2", txtField2.Text))
  .Add(New SQLParameter("@Field1", Request.QueryString("FieldID")))
End With
Conn.Open()
Try
  C.ExecuteNonQuery()
Catch Exc as Exception
  'Error Handling
End Try
Conn.Close()


or...

Code:

dim strSQL as string = "INSERT INTO Table1 (Field1, Field2) VALUES (@Field1, @Field2)"
dim C as New SQLCommand(strSQL, Conn)
With C.Parameters
  .Add(New SQLParameter("@Field1", txtField1.Text))
  .Add(New SQLParameter("@Field2", txtField2.Text))
End With
Conn.Open()
Try
  C.ExecuteNonQuery()
Catch Exc as Exception
  'Error Handling
End Try
Conn.Close()


and the same for DELETE even.

This works because SQL automatically delimits the fields as necessary, regardless of the input supplied. That right there stops the skript kiddies cold.
jamie
HostMySite Sales Rep
HostMySite Sales Rep

Joined: 19 Mar 2004
Posts: 766
Location: Newark, De
Post Posted: Fri Jan 28, 2005 2:14 pm Reply with quote
You can do something similar in CF with the CFParam? command I believe.
bobclingan
Forum Regular

Joined: 16 Sep 2004
Posts: 271
Location: Abingdon, MD
Post Posted: Fri Jan 28, 2005 9:23 pm Reply with quote
yes you are thinking of cfqueryparam
loftboy
Forum Regular

Joined: 24 Jun 2004
Posts: 1129
Location: Colorado
Post Posted: Mon Jan 31, 2005 6:23 am Reply with quote
yup cfqueryparam

gawd simplier too Wink
that looks like spagettiosssssssssssssssss
Josh
Forum Regular

Joined: 01 Apr 2004
Posts: 1029
Location: Felton, Delaware
Post Posted: Mon Jan 31, 2005 1:47 pm Reply with quote
what looks like spaghettioooossssssssssssssssss?
loftboy
Forum Regular

Joined: 24 Jun 2004
Posts: 1129
Location: Colorado
Post Posted: Mon Jan 31, 2005 9:22 pm Reply with quote
~hey thats spagetti regetti's sister!~ (what movie is that from?)

josh whats your addy?
Josh
Forum Regular

Joined: 01 Apr 2004
Posts: 1029
Location: Felton, Delaware
Post Posted: Tue Feb 01, 2005 1:04 am Reply with quote
email? josh@joshandbrandi.com
loftboy
Forum Regular

Joined: 24 Jun 2004
Posts: 1129
Location: Colorado
Post Posted: Tue Feb 01, 2005 1:13 am Reply with quote
check mail
sql injection
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 		All times are GMT  
Page 1 of 1  
  
  
 Reply to topic