If you connect to a database with your server side scripts, the most important task you have to do, is to validate the input before sending it to your database. We see things like this over and over again:

sql = "SELECT someFields " &_
"FROM myTable " &_
"WHERE user = '" & Request("user") & "' " &_
"ORDER BY someField"

This is just begging for trouble. Your site is a stting duck for SQL Injection attacks, whereby users will purposely input invalid data in an attempt to hack in. If you aren't checking the inputs before sending them to the database, eventually someone's coming in.

A better way to write the above query is something like this:

Dim user
user = Trim(Request("user"))
user = Replace(user, "'", "''")

If len(user) < 1 Then
Response.Write "Please Enter your user name"
Exit Sub
End If

sql = "SELECT someFields " &_
"FROM myTable " &_
"WHERE user = '" & user & "' " &_
"ORDER BY someField"

If you are using MS SQL Server, use stored procedures, learn the Command Object (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ado270/htm/mdobjcommand.asp) syntax, and abandon all other methods to access the database from applications wherever possible.

The problem with the original query is that one can purposely enter some bad things:
z'; delete from myTable--
z' union select name, dbid from master..sysdatabases--

It doesn't matter what databse you use, nor what scripting language you use. If you don't properly validate input server-side, you're asking for trouble. Things to check for:
- if u expect a number, make sure it IS one
- if you expect a string, check that it is greater than zero length, if you know how long it should be, make sure it is that long
- escape single quotes in string input by doubling them up.

Remember to validate all input: this means Post, Get and Cookie input. Even if it is a hidden form element, validate it. A hacker won't use his web browser (for long) to get in, he's going to write a script to post garbage at ya, and see if he can crack in.

I won't go into more detail as there are some good references, and of course a quick search on your favorite SE will pull up more.

http://www.nextgenss.com/papers/advanced_sql_injection.pdf (PDF)

http://66.102.7.104/search?q=cache:eVjQBqzJKdIJ:www.nextgenss.com/papers/advanced_sql_injection.pdf+sql+injection&hl=en (HTML of above)

http://www.securiteam.com/securityreviews/5DP0N1P76E.html

http://www.unixwiz.net/techtips/sql-injection.html

boy that would be cool if AB would stick-*** this for a while... ;)

This is some good stuff for beginers.... Keep it up :)

Many thanks from me GOOD JOB!

[B]give me some database connectivity ASP codes which may connect to MSaccess or oracle

This is exactly what I've been looking for. Thank you :D

useful information!

nice! im doing it without knowing the importance. keep it up!

It doesn't matter what databse you use, nor what scripting language you use. If you don't properly validate input server-side, you're asking for trouble. Things to check for:
- if u expect a number, make sure it IS one
- if you expect a string, check that it is greater than zero length, if you know how long it should be, make sure it is that long
- escape single quotes in string input by doubling them up.


When you say escape single quotes in input by doubling them up can you explain that for me.

i am storing a textbox in a variable then use the insert value of
'" & variable & "'
how can i avoid the db error if someone enters something like o'reilly's?

how can i avoid the db error if someone enters something like o'reilly's?Change it to o''reilly''s.

notice that is two single quotes ' becomes ''

A particular and very common oversight is login scripts that aren't sanitised.

Checkout the basic example below:


Dim strUsr
Dim strPass
Dim strLogin
strUser = Request.Form("usr")
strPass = Request.Form("pass")
strLogin = "SELECT * FROM tblUsers WHERE usr=" & strUser & " AND pass=" & strPass
From this point it is common to then query the database and check the recordset for a result. If you get a result then it must be OK so let's proceed. If this sounds familiar, then think again. It's dangerous and SQL injections are the reason why.

If I pass:


Usr: ' OR 1 = 1
Pass: ' OR 1 = 1
to the ASP above then the SQL will produce a result when queried. Hey Presto! I'm in and I haven't got a password.

SQL produced:


SELECT * FROM tblUsers WHERE usr='' OR 1=1 AND pass='' OR 1=1
The rule is, as stated above, strip quotes from login scripts and always read the database results, don't rely on the fact the recordset object produces a result.

Another point is some databases allow concurrent queries which are seperated by a semicolon so another dangerous injection would be:


Usr: ';DROP TABLE tblUsers;
This doesn't always have to affect the database as never ending JavaScript alert box loops can also be injected. Harmless when stored but a browser crasher when rendered.


<script type="text/javascript">
var i;i=1;while(i>0){alert("Stoopid")}i++;
</script>
There are literally hundreds of ways of injecting code into databases for malicious purposes so always screen the users input.

boy that would be cool if AB would stick-*** this for a while...
-------------
why so many '&_' ?

Change it to o''reilly''s.

notice that is two single quotes ' becomes ''




===================================

You can use Replace Function

For example

ex) Dim user_name : user_name = Request("user_name")

user_name = Replace(user_name, " ' " , " ' ' ")

usually we use include file for validation function or user function.


Function.asp

Function fncReplaceDBString(vPstring)

Dim vUtmp : vUtmp = Trim(vPstring)


If Len(vUtmp) > 0 Then

vUtmp = Replace(vUtmp, "'", "''")
vUtmp = Replace(vUtmp, "<", "&lt;")
vUtmp = Replace(vUtmp, ">", "&gt;")
vUtmp = Replace(vUtmp, "&", "&amp;")
vUtmp = Replace(vUtmp, Chr(34), """)
vUtmp = Replace(vUtmp, Chr(37), "%")
vUtmp = Replace(vUtmp, Chr(39), "'")
vUtmp = Replace(vUtmp, Chr(64), "@")
vUtmp = Replace(vUtmp, Chr(96), "`")
vUtmp = Replace(vUtmp, Chr(13)&Chr(10),"<br>")

End If

fncReplaceDBString = vUtmp

End Function

==================
test.asp

Dim user_name : user_name = fncReplaceDBString(Request("user_name"))

Dunno why this hasn't been said, but if you are lazy like me, you can still dump raw user input into the db using:

server.URLencode(trim(request.form("rawdata")))

as far as I can tell, you cannot SQL Inject that in any way.

Can YOU think of a way to inject SQL hacks into that?


Usr: ' OR 1 = 1 becomes:
INSERT INTO TABLE (COLUMN) VALUES ('usr%3a+%27+or+1+%3d+1');

Usr: ';DROP TABLE tblUsers; becomes:
SELECT TABLE.COLUMN WHERE USERNAME='usr%3a+%27%3bdrop+table+tblusers%3b';

don't rely on that. it can still be hacked. easily.

How can this be hacked?

===================================

You can use Replace Function

For example

ex) Dim user_name : user_name = Request("user_name")

user_name = Replace(user_name, " ' " , " ' ' ")
Yeah .. this is easiest fix.

--
Riz
www.PDFonFLY.com - generate free pdf online

Dunno why this hasn't been said, but if you are lazy like me, you can still dump raw user input into the db using:

server.URLencode(trim(request.form("rawdata")))

as far as I can tell, you cannot SQL Inject that in any way.

Can YOU think of a way to inject SQL hacks into that?
don't rely on that. it can still be hacked. easily.
How can this be hacked?
No answer, Russell?

think "buffer overflow" and "site traversal." remember, a hacker isn't going to use a web browser. he/she'll post garbage at your server via a script or compiled program.

also, why purposely allow errors (which can give the user too much information), instead of preventing 'em?

it will stop the newbies though.

sorry i never noticed this thread being updated for a while. dang, and i even asked AB to make it a sticky!...

you'll never be 100% safe from injection hacks although the more you do the better.

sure you will. if you use proper coding practices -- validate all input for data type and length...and in many cases, origin.