Reply to topic
SQL injection attacks
whitesites


Joined: 05 Jul 2004
Posts: 176
Location: Houston, TX
Post Posted: Mon Oct 22, 2007 7:09 pm Reply with quote
One of my sites was attacked with this. I have implimented some code to prevent this in the future. Even though I am pretty sure I am protected now, does anyone have an recommendations for what to look for? In case anyone wants to scan their logs for this Jackasses IP its 75.167.41.248. Geocodes to Phoenix Arizona.
Josh
Forum Regular

Joined: 01 Apr 2004
Posts: 1029
Location: Felton, Delaware
Post Posted: Mon Oct 22, 2007 9:53 pm Reply with quote
Noticing that you seem to work in ASP.NET, use parameterized queries. This ALONE will save you COUNTLESS man hours of manual stripping, converting, etc.

I'm not saying that you should rely solely on Parameters, but I have used parameterized queries since the start and not only do they make my apps easier to read (which minimizes development and maintenance times) but they do a **** fine job of handling data and making sure it's given to the database correctly.

Code:
Using Conn As New MySqlConnection(Settings.MySqlConnectionString)
   Using Cmd As New MySqlCommand("SELECT this, that FROM table WHERE this=?this AND that=?that LIMIT 5", Conn)
      With Cmd.Parameters
         .Add(New MySqlParameter("?this",Request.QueryString("This")))
         .Add(New MySqlParameter("?that",txtTextbox.Text))
      End With
      Conn.Open()
      Using DR As MySqlDataReader = Cmd.ExecuteReader()
         If DR.Read() Then
            output = DR(0) & " " & DR(1)
         End If
      End Using
   End Using
End Using


And of course the MS SQL Equivilent...

Code:
Using Conn As New SqlConnection(Settings.SqlConnectionString)
   Using Cmd As New SqlCommand("SELECT TOP 5 this, that FROM table WHERE this=@this AND that=@that", Conn)
      With Cmd.Parameters
         .Add(New SqlParameter("@this",Request.QueryString("This")))
         .Add(New SqlParameter("@that",txtTextbox.Text))
      End With
      Conn.Open()
      Using DR As SqlDataReader = Cmd.ExecuteReader()
         If DR.Read() Then
            output = DR(0) & " " & DR(1)
         End If
      End Using
   End Using
End Using


More about Parameterized Queries...

http://aspnet101.com/aspnet101/tutorials.aspx?id=1

PS... these aren't just for selects/queries... they're for anywhere you need to pass info from the app server to the db server. Updates/deletes/inserts should all utilize parameterized queries/commands.


Last edited by Josh on Mon Oct 22, 2007 10:57 pm; edited 1 time in total
whitesites


Joined: 05 Jul 2004
Posts: 176
Location: Houston, TX
Post Posted: Mon Oct 22, 2007 10:14 pm Reply with quote
That is very interesting way to doing it, and I can see how that would prevent most SQL injection attacks. Only problem is I use alot of helper functions, and that would be alot of coding to integrate. I will keep it in mind for future sites though. Thanks
Josh
Forum Regular

Joined: 01 Apr 2004
Posts: 1029
Location: Felton, Delaware
Post Posted: Mon Oct 22, 2007 10:18 pm Reply with quote
Mind you that you don't need to use the USING blocks, either (You seem perty smart, but some people get all confused by me doing things alittle differently than most). It's just the query/command structure and the use of adding the parameters to the command object that's important.

Like I said, I think you know this, but I'll put it here as it may prove valuable to somebody else.
SQL injection attacks
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
 		All times are GMT  
Page 1 of 1  
  
  
 Reply to topic