Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SQL Injection

Status
Not open for further replies.
carranz

carranz

Technical User
Nov 17, 2006
40
US
I have been looking into SQL Injection. I have found a few things on the web.

But I am having difficulty on how it works or how you check to see if your vulnerable.

I have a login page with two textboxes and a command button.
username and password is input and the button is clicked.

How can I check to see for sql injection valnerability
 
Sort by date Sort by votes

post a link to your website and we'll tell you :)

A smile is worth a thousand kind words. So smile, it's easy! :)
 
Upvote 0 Downvote
Couple easy questions:

Are you building your SQL statements inline?
[Do you build your SQL strings in ASP and then execute or open the string, concatenating in variables that were posted]

Are you replacing single quotes in any posted values with two single quotes before adding them to your SQL string?
[sql = "SELECT * FROM MyTable WHERE MyField = '" & Replace(Request.Form("test"),"'","''")]

In the event that a value is supposed to be numeric, are you verifying that it is a number before concatenating it to your SQL string?
[i.e., values that your adding without quotes around them]

If the answer to the first question is yes and the answer to the second or third question is yes, then you have SQL Injection vulnerabilities.

--

Most people would suggest using Stored Procedures and Parameters and such to be truly secure. My preference is definitely to use Stored Procedures (for completely different reasons) but not every "database" has the ability. Here are the rules I follow to make my queries safe:

1) Everything from the user gets verified. I don't go any farther until I have verified that every input I get from the user (even hidden ones) have what I am expecting. This means IsNumeric checks on supposed number fields, IsDate checks on date fields, length checks on strings, etc.

2) Strings get escaped, replacing single quotes with two single quotes

3) Errors are captured. You can have a perfectly safe SQL Injection-proof site, but if someone spoofs an insertion form and puts 500 characters in a field that is only expecting 20, an error is going to occur. And that error will generally outline critical informaiton about your system (like the fact that you using an Access DB and here is where to find it).


Best MS KB Ever:
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

leifoet
  • Locked
  • Question
Problem: sql-Select with request.form
2
Replies
22
Views
306
leifoet
leifoet
penguinspeaks
  • Locked
  • Question
SQL syntax
Replies
8
Views
110
penguinspeaks
penguinspeaks
axLW
  • Locked
  • Question
reduce number of sql statements and set EOF parameter
Replies
13
Views
165
ChrisHirst
ChrisHirst
EricBCA
  • Locked
  • Question
Is it possible for ASP to connect to SQL Server via ODBC without a password
Replies
1
Views
73
ChrisHirst
ChrisHirst
aapk
  • Locked
  • Question
ASP writing back to SQL database
Replies
4
Views
99
dhookom
dhookom

Part and Inventory Search

Sponsor

Back
Top