(Evertjan)
7/30/2008 6:50:00 AM
Bob Barrows [MVP] wrote on 30 jul 2008 in
microsoft.public.inetserver.asp.db:
> Sylvain Lafontaine wrote:
>> As others have said, if you take a look with the SQL-Server Profiler,
>> you will see that ADO use parameterized queries to execute these
>> commands.
>> Practically, the only way that you can be hurt by SQL injection
>> attack is when you are dynamically building your one sql strings. For
>> alphanumeric string values - that are to be enclosed between
>> single quotes - all you have to do is to replace any enclosed single
>> quote with two single quotes by using the replace command. Very easy
>> to do. Of course, if you are using double quotes as the string
>> delimiter then these are those that you must double using the replace
>> command.
>
> This is not enough. There are several documented techniques for
> hackers to use to get around this simplistic strategy. SQL can be
> injected without a single quote character involved. In fact, the
> recent worm attack that hit so many websites in the last month used
> one of those techniques. If parameters are possible, forget attempting
> to excape strings: use parameters. If dynamic sql is necessary,
> validate data against a list of acceptable entries, rather than
> attempting to outthink the bad guys.
As first "line" of defence,
let us all change the probably still common:
sql = "... WHERE id = " & request.querystring("id")
to
sql = "... WHERE id = " & CInt(request.querystring("id"))
or even better, since it will not show the sql in the errorline,if an
errorline is still shown:
temp = CInt(request.querystring("id"))
sql = "... WHERE id = " & temp
and search our ancient, be it still in use, pages for those instances.
--
Evertjan.
The Netherlands.
(Please change the x'es to dots in my emailaddress)